*’• 


War  of  tKe  We 


PAGE  14 


UMBERS  G/ 

lentifying  tec 
roblems  thro 
letrics 

\GE  30 


DIFFERENT  COUNTRIES.  DIFFERENT  COMPANIES. 


/ORM^\ 

* 


SSCP 


CISSP* 


'>>  PRO^ 


ONE  COMMON  LANGUAGE. 


ISO/IEC  17024 


SSO/IEC  17024 


SSCP  from  (ISC)2.  Credentialing  the  world’s  most  qualified  Information  Security  workforce. 

Businesses  worldwide  share  a  common  priority:  ensuring  their  information  security  policy  is  the  best.  Now  they  can 
share  the  same  language.  (ISC)2  has  credentialed  tens  of  thousands  of  the  world’s  most  qualified  information  security 
professionals,  in  over  1 00  countries  around  the  globe.  Equipped  with  an  SSCP  credential  from  (ISC)2,  your  information 
security  workforce  speaks  a  common  language.  Shares  common  platform  knowledge.  And  understands  how  best 
to  implement,  monitor  and  secure  your  information  security  organization.  Which  translates  into  a  more  secure 
business.  Speak  to  (ISC)2  today. 


FOR  MORE  INFORMATION,  CALL  1.866.462.4777  OR  VISIT  www.ISC2.ORG/security 


security  transcends  technology  .  INTERNATIONAL  INFORMATION  SYSTEMS  SECURITY  CERTIFICATION  CONSORTIUM,  INC. 


It  does  what 
we  want  it 
to  do  from 
a  security 
perspective, 
and  it  doesn’t 
bog  down  the 
istribution 


JkfcRAHAM  OF 
DUE  PHARMA,  ON  RFID 


COLUMNS 

14  White  Hats  and  Black  Boxes 

MACHINE  SHOP  An  introduction  to  the  murky 
science  of  Web  application  security. 

By  Simson  Garfinkel 

36  A  Pothole  on  Wall  Street 

UNDERCOVER  A  financial  services  CISO 
ponders  a  huge,  unchecked  vulnerability  in 
how  the  industry  processes  market  news. 

DEPARTMENTS 

Briefing 

HSPD-12:  Slow  out  of  the  gate;  How  to 
protect  your  reputation  online;  British  test 
biometrics  at  borders;  E-filing  for  drug 
approval;  Typecasting  in  a  crowd 

40  Debriefing 

Quotes  of  Note 


18  cover  story  The  5  Myths  of  RFID 

SUPPLY  CHAIN  SECURITY  Big  pharma’s  RFID  trials  aim  to  keep 
fake  drugs  out  of  your  medicine  cabinet— but  the  technology  has 
significant  limitations.  By  Sarah  D.  Scalet 


IN  EVERY  ISSUE 

2  CSOonline.com 
From  the  Editor 
38  Index 


24  How  to  Control  Crowds  in  Ancient  Pompeii 

CROWD  MANAGEMENT  What  computer  models  are  telling  us  about 
how  to  manage  a  crowd,  the  ancient  Romans  already  seemed  to 
know.  By  Scott  Berinato 

Using  Metrics  to  Diagnose  Problems: 

A  Case  Study 

BOOK  EXCERPT  From  Andrew  Jaquith’s  Security  Metrics:  Replacing 
Fear,  Uncertainty,  and  Doubt. 

Secure  Locations 

SECURE  FACILITIES  Since  the  early  days  of  the  Cold  War,  the  federal 
government  has  required  secure  facilities  to  keep  national  secrets 
safe.  Private-sector  CSOs  looking  to  build  a  secure  building  can  find 
lessons  from  the  feds  hiding  in  plain  sight.  By  Katherine  Walsh 


COVER  ILLUSTRATION  BY  BRIAN  STAUFFER 


May  2007  www.csoonline.com  1 


Vista  and  Other  Endpoints 


Thinking  about  moving  to  Microsoft’s  latest  operating  system,  but  unsure 
about  pulling  the  trigger?  Send  your  questions  about  Vista  to  Shawna 
McAlearney  ( smcalearney@cxo.com )  and  we’ll  help  you  get  the  inside 
view  on  security  issues  from  experts  like  HD  Moore,  Hugh  Thompson 
and  Microsoft’s  Jeff  Jones.  Vista  is  just  one  of  the  issues  covered  in  our 
Endpoint  Security  Virtual  Conference,  online  on  May  23.  (Full  details  are 
available  at  endpointsecurityconference.com.) 

Blogs  and  More  Blogs 

Newest  bloggers  on  CSOonline  include  Michael  Smith  on  Enterprise 
Linux  and  Chad  McDonald  on  Apple  security.  You  can  find  their  insights, 
rants  and  invective  along  with  all  our  bloggers  at  blogs.csoonline.com. 

Schneier:  Security  on  the  Couch 

Bruce  Schneier  used  to  malign  “security  theater”  aimed  at  making  people 
feel  secure  instead  of  making  them  actually  secure.  In  our  exclusive 
podcast,  Schneier  says  his  views  have  changed.  You  can  hear  his  thoughts 

at  www.csoonline.com/podcasts. 


“Can  yon  imagine  all  the  good  uses 
we  could  put  our  time  and  money 
toward  if  we  didn’t  have  to  protect 
ourselves  against  hackers  and  idiots¬ 
like  building  a  better  product  with 
lots  of  really  great  features?  I’m 
confident  we’d  see  a  lot  more  robots 
in  everyday  use.” 

-ED  ADAMS  IN  HIS  SECURITY  CURMUDGEON  BLOG, 
BLOGS.CSOONLINE.COM/NODE/252 


President  and  CEO 
Michael  Friedenberg 
Publisher  Bob  Bragdon 

EDITORIAL 

Editor  in  Chief  Derek  Slater 
Senior  Editors 

Scott  Berinato.  Sarah  D.  Scalet 
Editor  at  Large  Simson  Garfinkel 
Assistant  Managing  Editor 
Emily  S.  Henderson 
Senior  Copy  Editor 
Cathy  Mallen 
Copy  Editor 
Susan  Bryant-Still 
Associate  Staff  Writers 
Christopher  Lynch,  Katherine  Walsh 
Editorial  Administrator 
Jill  Paquette 
Contributors 

Jeremy  Kirk,  Margaret  Locher 

DESIGN 

Executive  Director,  Art  and 
Design  Mary  Lester 
Art  Director  Steve  Traynor 

RESEARCH 

Research  Manager 
Carolyn  Johnson 
Senior  Research  Analyst 
Seanna  Maguire 

ONLINE  EDITORIAL 

Online  Editorial  Director 
Christopher  Lindquist 
Online  Managing  Editor 
Michael  Goldberg 
Senior  Online  Editors 
Sandy  Kendall,  Meridith  Levinson, 
Shawna  McAlearney, 

Esther  Schindler 
Associate  Online  Editor 
Diann  Daniel 
Online  Writer 
Al  Sacco 

Online  Copy  Editor 

David  Gradijan 

INFORMATION  SYSTEMS 

IDG  Director  of  Information 
Services  Nancy  Newkirk 
IT  Manager 
Sean  McCracken 
Senior  User  Support  Specialists 
Christopher  A,  Kay, 

Thomas  Lupien 
User  Services  Specialist 
Gloria  Lam 

Associate  User  Support  Specialist 
James  Brevard 
Senior  Web  Developer 

David  Cohen 

Web  Developer  Sanghee  Seo 

CXO  MEDIA  /  IDG 

COO  Matt  Smith 
CSO  Robert  Hayes 

CXO  MEDIA  INC. 

INTERNATIONAL  DATA  GROUP 

Board  Chairman 
Patrick  J.  McGovern 
President,  IDG  Communications 
Bob  Carrigan 


BPA 

WORLDWIDE" 


www.csoonline.com  May  2007 


»  Worms,  trojans,  zombies,  phishers  and  spyware  all  nipping  at  your  network?  Then  jump  to 
Juniper.  Juniper  Networks  security  solutions  scale  from  large  distributed  enterprises  to  small 
businesses  —  protecting  the  entire  network  against  internal  and  external  threats. 

It’s  security  that’s  comprehensive,  cost-effective,  never  compromised. 


Juniper 


Net 


Only  Juniper  makes  any  network  more  secure:  www.juniper.net/threatmanagement 


1.888. JUNIPER 


Convergence  Is  Over,  Hooray 

“Ask  me  what  I  think  about  convergence,”  said  George  Camp¬ 
bell,  onstage  at  our  recent  CSO  Perspectives  conference. 


Campbell  was  on  a  panel  of  honorees  of  the  2007  CSO  Compass  Awards. 

I  obliged:  “OK,  George,  what  do  you  think  about  convergence?” 

“I  think  it’s  crap,”  said  Campbell. 

The  audience  laughed;  I  laughed.  (Campbell  did  not  laugh.)  George 
Campbell  isn’t  one  to  mince  words.  On  the  other  hand,  his  comment  was 
surprising  since  he  was  also  an  early  adopter  of  what  might  be  termed  a  con¬ 
verged  organizational  model— he  had  responsibility  for  both  corporate  and 
information  security  as  CSO  of  Fidelity  Investments  some  years  ago. 

With  a  little  digging,  we  found  that  what  Campbell  objects  to  isn’t  the 
need  for  infosec  and  corporate  security  to  work  together.  He  objects  to  turf 
wars  and  to  leaders  who  look  at  pieces  of  the  risk  management  puzzle  as 
potential  career  conquests. 

In  fact,  I  noticed  a  marked  difference  at  the  conference.  In  past  years 
there’s  been  a  bit  of  tension  or  discomfort  at  the  blending  of  two  often- 


distinct  disciplines.  But  this  time  around,  the 
concept  of  meshing  security  functions  together  was 
not  just  widely  accepted,  it  seemed  to  have  rapidly 
become  a  nonissue.  Campbell’s  onstage  comment 
was  about  the  extent  of  controversy  or  pushback  on 
the  concept  that  I  heard  during  the  two-plus  days. 
Overall,  people  seem  less  hung  up  on  the  semantics 
and  the  organizational  chart  issues  and  turf  wars  and 
more  interested  in  just  reducing  risk  and  enabling 
business  in  the  most  efficient  and  cooperative  man¬ 
ner  possible. 

Want  one  security  function  with  one  CSO?  Fine. 
Want  infosec  to  report  to  the  CIO?  Groovy.  Think  a 
risk  management  committee  better  matches  your 
business  model  or  current  personnel?  Bully  for  you. 

Like  Campbell,  CSO  Perspectives  attendees 
seemed  to  just  want  to  get  the  job  done  without  all 
the  politicking.  That’s  a  giant  step  forward  for  the 
profession. 

-Derek  Slater 
dslater@cxo.corn 


HOW  TO  REACH  US  E-mail  csoletters@cxo  .com  Phone 
508  872-0080  Fax  508  879-7784  Address  CSO  Maga¬ 
zine,  492  Old  Connecticut  Path,  P.0.  Box  9208,  Framing¬ 
ham,  MA  01701-9208:  Subscriber  Services  Phone  866 
354-1125  Fax  847  564-9453  E-mail  cso@omeda.com : 
Reprints  For  article  reprints  (100  quantity  or  more),  con¬ 
tact  Keith  Williams  at  PARS  International  at  212  221-9595 
x319  or  e-mail  keith.williams@parsintl.com. 


ABOUT  IDG  International  Data  Group  (IDG),  the  lead¬ 
ing  global  provider  of  IT  media,  research,  conferences  and 
events,  informs  more  people  about  technology  than  any 
other  company  in  the  world.  Offering  the  widest  range  of 
media  options,  IDG  reaches  more  than  120  million  tech¬ 
nology  buyers  in  85  countries  representing  95  percent 
of  worldwide  IT  spending.  IDG  publishes  more  than  300 
newspapers  and  magazines  in  85  countries,  led  by  the 
Computerworld,  Infoworld.  Macworld.  Network  World,  PC 


World  and  CIO  global  product  lines.  IDG  offers  online  users 
the  largest  network  of  technology-specific  sites  around  the 
world  through  IDG.net  ( www.idg.net ),  a  gateway  to  IDG's 
330  websites  powered  by  more  than  2,000  journalists 
reporting  from  every  continent  in  the  world.  IDG  also  pro¬ 
duces  168  technology-related  conferences  and  events,  and 
research  company  IDC  provides  global  market  intelligence, 
analysis  and  forecasts  in  43  countries. 


4  www.csoonline.com  May  2007 


PHOTO  BY  WEBB  CHAPPELL 


7  < 


he  new  iCLASS  readers 


Price  ►  same  as  Prox 


Installation  y  same  as  Prox 


Power  Requirement  ►  same  as  Prox 


'T  j',  <  *  ■/' 


Security  y  same  as  Alcatraz. 


1  2 

r-  r 

4  5 

r~  r 

7 

r~  r 


hidcorp.com 


iCLASS  readers  offer  enhanced  security  with 
all  the  user-friendly  features  of  proximity. 

The  new  iCLASS  readers  are  virtually  identical  to  proximity  - 
in  power  requirement,  ease  of  use  and  installation,  even  price. 
The  only  difference  is  that  iCLASS  offers  enhanced  security 
through  encryption  and  mutual  authentication,  and  it’s  read/write 
capabilities  allow  you  to  add  functionality  such  as  biometrics, 
time  and  attendance,  PC  log-on  security  and  more.  Plus  iCLASS 
comes  from  HID.  So  there’s  a  lot  to  feel  secure  about. 


IMPROVE  YOUR 

PROFESSIONAL  SKILLS 

■ 

(ADVANCE  TO 
CREDIBILITY  AVENUE) 


Exam  Registration  Deadline:  26  September 
Exam  Date:  9  December  2007 

Certified  Information  Systems  Auditor" 

www.  isaca.  org/csomag 

CISM 

CERTIFIED  INFORMATION  / 

SECURITY  MANAGER'  ' 


—fiSACff 

Serving  IT  Governance  Professionals 


News, 


Stats  and  Fast  Facts  Edited  by  Michael  Goldberg 


MICHAEL  BUTLER, 
Defense  Department 
access  card  office 
director:  The 
federal  government 
is  moving  toward 
a  standard, 
authenticated  ID  and 
access  credential. 


CARD  NUMBERS  Starting  on  March  1, 
2007,  the  Office  of  Management  and  Budget 
required  agencies  to  post  quarterly  updates 
on  how  many  Personal  Identity  Verification 
(PIV)  cards  they  have  issued,  to  comply  with 
Homeland  Security  Presidential  Directive  12 
(HSPD-12).  Below  are  five  of  the  largest 
executive  departments  and  the  numbers  they 
are  reporting  about  PIV  cards.  For  a  more 
complete  list  compiled  from  government 
websites,  see  www2.csoonline.com/blog_view 
.html?CID=325 56. 


DEPARTMENT 

EMPLOYEES 
WHO  NEED 
PIV  CARDS 

PIV  CARDS 
ISSUED 

Veterans  Affairs 

241,000 

430 

Treasury 

121,461 

5 

Agriculture 

107,000 

7 

Interior 

64,338 

17 

Transportation 

52,979 

6 

HSPD-12: 
Slow  Out  of 
the  Gate 

Product  testing,  contract 
process  hold  up  worker 
smart  cards 

ACCESS  CONTROL  It’s  been  called  the 
biggest  access  control  project  ever.  As  of  last 
October,  most  federal  agencies  were  required 
to  start  issuing  standard  identification  cards 
that  could  be  used  for  both  physical  and 
logical  access  to  government  facilities.  The 
idea  behind  the  order,  known  as  Homeland 
Security  Presidential  Directive  12  (HSPD-12), 
is  to  create  a  highly  secure,  standard  ID 
card  that  is  recognized  and  trusted  across 
the  government.  The  Federal  Information 
Processing  Standard  201,  known  as  FIPS  201, 
sets  out  strict  rules  for  how  agencies  must 
meet  HSPD-12.  (See  our  coverage  at  www 
.csoonline.  com/080106.) 

Implementing  the  ambitious  standard  has 
not  been  easy,  and  most  of  the  agencies  that 
are  technically  in  compliance  have  only  barely 
begun.  (See  chart.)  One  reason  for  the  slow 
rollout:  At  the  October  deadline,  the  General 
Services  Administration  was  still  working  on  its 
test  tool  for  determining  whether  a  given  smart 
card  was  interoperable  with  other  components, 
says  Michael  Butler,  chairman  of  the  Federal 
Smart  Card  Interagency  Advisory  Board  and 
the  Department  of  Defense’s  access  card  office 
director.  Once  the  tool  was  completed,  all  play¬ 
ers  could  test  their  implementations. 

Butler  adds  that  during  January  and  Febru- 


SOURCE:  GOVERNMENT  WEBSITES 


( Continued,  on  next  page) 


PHOTO  BY  DANUTA  OTFINOWSKI 


May  2007  www.csoonline.com  7 


( Continued from  previous  page ) 
ary,  both  vendors  and  federal  agen¬ 
cies  were  busy  making  tweaks  to 
their  Personal  Identity  Verification 
(PIV)  cards.  "Now,  we’re  getting 
to  the  point  where  at  least  when 
you  talk  to  [one  vendor  or  agency’s 
card],  it's  going  to  give  the  same 
answers  back  in  the  same  format 
as  [another  vendor  or  agency’s 
card].  That’s  really  the  basis  for 
future  interoperability,"  Butler  says. 

Another  wrinkle:  The  GSA,  which 
as  a  shared  service  provider  is 
issuing  PIV  cards  to  other  agen¬ 
cies  for  a  fee,  is  renegotiating  its 
contract  with  BearingPoint,  the 
consulting  and  systems  integration 
company  it  hired  to  issue  the  cards. 
Chris  Niedermayer,  a  member  of 
the  Executive  Steering  Committee 
running  the  project  government¬ 
wide,  says  the  contract  was  put  out 
again  not  because  of  BearingPoint’s 
performance,  but  because  another 
vendor  protested  the  contract. 

Niedermayer,  who  is  associ¬ 
ate  CIO  at  the  U.S.  Department  of 
Agriculture,  says  that  his  agency,  at 
least,  is  not  getting  any  additional 
new  PIV  cards  from  the  GSA  while 
the  contract  is  being  recompeted. 
He  anticipates  that  card  issuance 
will  restart  in  July  and  said  the 
delay  could  have  a  plus:  He  expects 
the  new  contract  to  cost  less  than 
the  current  $120  per  person. 

In  the  meantime,  the  USDA 
has  successfully  tested  the  cards 
using  an  electronic  physical  access 
system  at  a  security  turnstile.  The 
department  also  has  set  up  a  test 
environment  for  using  that  same 
card  with  a  single-sign-on  system 
for  users  to  access  up  to  236  soft¬ 
ware  applications. 

Considering  what  a  major 
change  all  of  this  is,  Niedermayer 
says,  "I  think  the  federal  govern¬ 
ment  has  done  very  well  in  terms 
of  stepping  up  and  getting  things 
started.”  -Sarah  D.  Scalet 


How  to  Protect 
Your  Reputation 
Online 


PASS  XT  ON  Job  recruiters  warn  today’s 
college  graduates  to  avoid  creating  Web- 
based  evidence  of  risky  behaviors  (read: 
drugs,  alcohol  and  sex)  that  they  wouldn’t 
want  a  prospective  employer  to  see.  Those 
already  in  the  workforce  can  benefit  from 
such  reputation-protecting  advice  too.  “We 
know  that  this  data  for  all  practical  purposes 
never  goes  away,”  says  Mark 
F.  Foley,  a  partner  at  Chicago- 
based  Foley  &  Lardner  who 
advises  corporations  on  data 
privacy  and  security  issues.  “If 
you  upload  a  90-second  video  [of  yourself] 
on  the  Pensacola  beach,  there’s  a  good 
chance  that  could  be  found  and  used  against 
you  someday.”  Share  these  tips  with  your  HR 
and  legal  departments  to  help  your  employ¬ 
ees  keep  their  online  noses  clean. 

Assume  that  if  people  can  recognize  you, 
they  will.  Foley  says  that  companies  should 
remind  their  workers  of  the  risks  involved 
with  representing  themselves  online,  a  public 
place  in  which  the  context  of  their  words  and 
actions  are  not  controlled  by  them.  While 
privacy  protections  vary  by  country  (France 


is  particularly  strong),  this  advice  about 
avoiding  risk  informs  other  tips  here. 

Think  about  your  online  identity.  You  can 
always  go  incognito  online;  not  a  bad  idea  if 
you’re  engaging  in  controversial  commen¬ 
tary  that  you  don’t  want  attached  to  you  in 
the  blogosphere  or  on  a  bulletin  board 
or  media  outlet.  Many,  including 
CSOonline,  allow  anonymous 
comment  posting. 

A  new  meaning  for  candid 
camera.  Treat  the  growing 
plethora  of  outlets  such  as  photo¬ 
sharing  site  Flickr,  the  MySpace  Web 
community,  the  YouTube  viral  video  hub 
and  others  like  one  big  machine  that  could 
make— or  break— your  image  and  reputation. 

Watch  that  avatar.  Foley  says  that  compa¬ 
nies  should  remind  their  workers  of  the  risks 
involved  with  representing  themselves  online. 
For  example,  if  you  create  an  avatar  to  go  to 
a  place  in  Second  Life  that  would  merit  an 
NC-17  movie  rating,  you  might  consider  mak¬ 
ing  your  online  identity  appear  nothing  like 
your  real  identity. 

-Michael  Goldberg 


8  www.csoonline.com  May  2007 


ILLUSTRATION  BY  BELLE  MELLOR 


Oracle  Fusion  Middleware 


Industry  Leaders  Rely  On 

Oracle  Identity  Management 


BRITISH  AIRWAYS 


# 


Ingersoll  Rand 


Qualcomm 


ELECTRONICS 


Oracle  Fusion  Middleware 

Hot-Pluggable.  Comprehensive. 

Single  Sign-on — Access  Management  —  Identity  Administration  —  User  Provisioning  —  Federated  Identity 
Virtual  Directory — LDAP  Directory — Web  Services  Management 


oracle.com/middleware 
or  call  1.800.0RACLE.1 


Copyright  ©  2006,  Oracle.  All  rights  reserved.  Oracle,  JD  Edwards,  PeopleSoft  and  Siebel  are  registered  trademarks  of  Oracle  Corporation  and/or  its  affiliates 

Other  names  may  be  trademarks  of  their  respective  owners. 


British  Test  Biometrics 
at  Borders 

which  encompassed  a  check-in  kiosk  and 
a  different  biometric  electronic  immigra¬ 
tion  system  named  MiSenseplus,  says 
Stephen  Challis,  head  of  product  develop¬ 
ment  for  BAA,  which  runs  the  airport.  The 
18  participants  in  the  MiSense  program 
( misense.org )  included  technology  vendors, 
consultants,  airlines  and  British  govern¬ 
ment  agencies. 

The  check-in  kiosk  used  biometric 
data  to  verify  passengers  from  check-in 
through  to  boarding.  The  kiosk  scanned 
the  number-and-letter  code  on  the 
passport’s  photo  page  along  with  the  pas¬ 
senger’s  fingerprint.  Before  boarding,  the 
passenger  had  to  pass  through  a  MiSense 
gate  again  and  pass  another  fingerprint 
scan.  About  2,000  people  used  the  kiosk 
during  its  trial  at  the  Emirates  and  Cathay 

Stephen  Challis,  product  development  head  at 
airport  operator  BAA,  uses  a  MiSense  kiosk  at  an 
airline  check-in  desk  (below).  Above,  Challis  gets 
his  fingerprint  checked  at  the  boarding  gate. 


10  www.csoonline.com  May  2007 


BORDER  SECURITY  The  British 
government— beset  by  fears  of  terrorists, 
crime  and  illegal  immigration— has  drawn 
up  wide  plans  to  drop  a  tight  electronic 
curtain  over  its  borders  during  the  next 
seven  years.  It  is  testing  several  tech¬ 
nologies  as  part  of  its  e-Borders  program, 
which  aims  for  thorough  oversight  of  trav¬ 
elers  coming  to  the  United  Kingdom. 

So  far,  more  than  60,000  travelers 
have  participated  in  a  program  that  uses 
biometric  data  to  speed  people  through 
immigration  lines.  The  Iris  Recognition 
Immigration  System  (IRIS)  stores  the 
iris  pattern  of  a  person’s  eye  and  passport 
details  in  a  database,  which  enables  that 
person  to  pass  through  immigration  elec¬ 
tronically  without  a  face-to-face  encounter. 
The  U.K.  government  says  the  program 
has  facilitated  210,000  border  crossings 
since  its  debut  in  March  2006. 

At  London’s  Heathrow  Airport,  pas¬ 
sengers  tested  the  MiSense  program, 


PHOTOS  BY  JEREMY  KIRK 


Pacific  airlines  ticket  desks. 

The  immigration  part  of  the  program, 
MiSenseplus,  took  more  biometric  data: 
a  retinal  scan,  10  fingerprints  and  a  facial 
scan.  About  1,000  people  used  the  system 
to  pass  through  immigration  in  London, 
Dubai  and  Hong  Kong,  according  to  BAA. 

The  MiSense  and  MiSenseplus  trials 
ended  Jan.  31,  while  the  IRIS  project  is 
ongoing.  Damon  Hunt,  press  officer  for 
BAA,  says  both  technologies  remain  under 
evaluation  by  the  government  and  he  can’t 
detail  future  plans,  though  authorities  are 
pleased  so  far. 

Also  ongoing  is  Project  Semaphore, 
another  trial  component  of  e-Borders, 
which  runs  through  March  2008.  The 
project  checks  passenger  names  against 
government  law  enforcement  databases 
before  they  arrive  in  Britain.  So  far,  800 
people  have  been  arrested  as  a  result  of 
the  checks,  according  to  the  Home  Office. 

Eric  Woods,  government  practice  direc¬ 
tor  with  consultancy  Ovum,  says  most  citi¬ 
zens  respond  positively  to  plans  for  stronger 
borders,  even  as  fierce  debates  continue 
in  the  U.K.  and  Europe  over  how  that  pas¬ 
senger  data  is  handled.  The  U.K.  govern¬ 
ment  has  said  only  that  it  wants  to  keep 
passenger  data  for  a  “reasonable”  amount 
of  time  to  trace  terrorist  movements. 

Consultancies  such  as  Ovum  estimate 
e-Borders  could  cost  up  to  $962  million 
based  on  the  cost  of  the  US-Visit  program. 
The  U.K.  plans  this  summer  to  pick  one  of 
two  consortia  to  provide  the  systems:  BT 
Emblem,  which  includes  Lockheed  Martin 
and  Hewlett-Packard;  or  Trusted  Borders, 
which  includes  Raytheon,  Accenture  and 
Capgemini.  -Jeremy  Kirk 


WHAT  IF 

"YOU'RE  FIRED" 

WAS  ONLY  SAID  ON 


REAL 


It  wouldn't  make  employees  angry  or  fill  their  minds  with  criminal  intent. 

And  businesses  might  not  need  the  support  of  security  experts  proficient  in  both  access  control 
and  video.  They  wouldn’t  want  a  security  controller  that  provides  the  highest  level  of  encryption 
on  the  market.  Wouldn’t  care  about  cameras  that  provide  images  so  impressive  they’re  used  to 
monitor  many  of  the  nation’s  busiest  highways.  Wouldn’t  need  to  get  critical  technical  support 
for  both  their  video  and  access  control  systems  with  a  single  call.  If  no  one  was  ever  fired, 
businesses  wouldn’t  need  the  most  comprehensive  pre-  and  post-sales  support  to  make  security 
reliable  and  easy.  Because  it  already  would  be.  It  all  starts  by  completing  the  short  questionnaire 
at  www.tycoforyourworld.com  or  by  calling  888-840-1438. 

SECURITY  FDR  YDUR  WORLD. 


=  AMERICAN 
'DYNAMICS 


Software  House® 

Access  control  and  video  systems 


KANTECH 


tqca  /  Fire  & 

/  Security 


mm 


Mi&iutyiftiiii 


E-FILING 
FOR  DRUG 
APPROVAL 


Drug  maker  files  trial 
data  via  secure  link 

AUTHENTICATION  The 

pharmaceutical  industry  has  found  a  new 
use  for  digital  signatures.  In  February, 
AstraZeneca  submitted  the  first  end-to- 
end  electronic  drug  application  to  the  U.S. 
Food  and  Drug  Administration. 

Much  of  the  clinical  trials  submission 
process  has  been  electronic  for  years, 
but  the  documents  involved— routinely 
reaching  past  1  million  pieces  of  paper  for 
one  drug— had  to  be  signed  by  everyone 
who  worked  on  a  drug  trial  and  then  held 
in  active  files  while  the  drug  is  in  use  (as 
long  as  50  years). 

Electronic  filing  means  that  infor¬ 
mation  can  be  stored  for  quick  refer¬ 
ral-leading  to  a  faster  and  cheaper  drug 
application  process,  proponents  argue. 

For  the  digital  signatures  to  be 
legal,  there  had  to  be  validation  that  the 
transaction  occurred,  verification  that  the 
document  had  not  been  tampered  with 
and  authentication  of  the  signature  of  the 
person  who  signed  the  document,  accord¬ 
ing  to  digital  signatures  vendor  Arcot, 
which  was  involved  in  this  transaction. 

“As  we  go  forward  and  look  at 
development  of  new  medicine,  the  cost 
is  climbing.  There  are  huge  efficiencies 
to  be  made  in  R&D,  particularly  in  this 
area.  Forty  percent  of  all  R&D  costs  are 
paper  costs,”  says  Mollie  Shields-Uehling, 
president  and  CEO  of  the  nonprofit  SAFE- 
BioPharma  Association,  which  created 
a  digital  signature  standard  for  the  drug 
and  healthcare  industries. 

The  transaction  requires  an  online 
certificate  service  provider  to  give 
updates  on  the  status  of  the  credential  at 
the  time  of  the  digital  signing. 

-Margaret  Locher 


Know  Your  Audience 

Knowing  who’s  in  a  crowd  will  help  you  to  better  control  it 

CROWD  MANAGEMENT  No  matter  how  many  people  are  in  a  crowd,  from  a  crowd  man¬ 
agement  perspective  each  individual  is  one  of  four  types  of  people,  according  to  G.  Keith  Still, 
a  crowd  management  expert.  (For  lessons  on  crowd  control  from  ancient  Pompeii,  see  “How  to 
Control  Crowds  in  Ancient  Pompeii,"  Page  24.) 

The  four  types  are:  Instigators,  who  find  violence  attractive;  Imitators,  who  will  respond  to 
violence  with  violence,  but  who  do  not  instigate  it;  Reactionaries,  who  will  react  violently  to  an 
out-of-control  situation;  Nonviolents,  who  abhor  violence  and  will  try  to  escape  it. 

Additionally,  any  situation  that  arises  in  a  crowd  and  increases  anxiety— crowding,  confu¬ 
sion,  a  bad  call  by  a  referee— can  even  move  people  from  one  crowd  type  to  another,  potentially 
riskier,  level.  For  example,  a  series  of  crowd-related  frustrations  could  turn  a  nonviolent  group  into 
reactionaries,  who  may  act  out  violently,  Still  says.  It’s  easy  to  see  how  situations  can  build  on 
themselves. 

But  the  good  news  is  that  good  crowd  management  can  calm  people  who  might  otherwise 
instigate  or  imitate.  If  there’s  little  anxiety  present,  the  imitators  have  nothing  to  imitate,  and 
reactionaries  have  nothing  to  react  against. 

Of  course,  the  vast  majority  of  people  are  nonviolents,  and  only  a  small  fraction  are  instiga¬ 
tors  or  imitators.  But  all  it  takes  is  a  few  individuals  to  spark  a  crowd  incident. 

The  proportions  of  crowd  types  change  depending  on  the  type  of  event.  That’s  where  secu¬ 
rity  officers  and  facility  managers  need  to  start,  by  profiling  the  type  of  crowd  they  expect  at  an 
event  (see  table  for  examples),  which  in  turn  will  inform  their  management  of  the  event. 

For  example,  consider  extra  monitoring  and  alcohol  restriction  policies  at  a  sporting  event 
between  rivals,  while  a  rock  concert  will  demand  good  stage  design  and  ticketing  policies. 
Understanding  what  types  of  people  are  going  to  use  a  facility  is  one  of  the  first  steps  in  effec¬ 
tive  crowd  management. 

-Scott  Berinato 


Hypothetical  Distribution  of  Behavior  Types  in  a  Crowd  at  Certain  Events 


INSTIGATORS 

IMITATORS 

REACTIONARIES 

NONVIOLENTS 

Rock  concert 

1% 

2% 

7% 

90% 

Soccer  match 

3% 

7% 

30% 

60% 

Gladiatorial 
games  in 

— 

5% 

15% 

20% 

60% 

ancient  Pompeii 

SOURCE:  G.  KEITH  STILL.  PERCENTS  ARE  GENERAL  ESTIMATES.  AND  THE  NUMBERS  FOR  POMPEII  ARE  SPECULATIVE. 


12  www.csoonline.com  May  2007 


ILLUSTRATION  BY  BELLE  MELLOR 


ADVERTISING  SUPPLEMENT 


Laptop  Encryption 

Q 

^Jtories  of  lost  or  stolen  laptops  are 
in  the  news  almost  daily,  along  with 
estimates  of  enormous  liabilities  for 


Problem  solved? 
Not  by  itself! 


Preventing  information  leakage  requires  more 
than  encryption.  Vericept’s  content-aware  security 
technologies  enforce  effective  data  stewardship 
throughout  an  organization. 


organizations  involved — not  only 
financial  losses,  but  also  damage  to 
reputations  and  the  potential  loss  of 
intellectual  property. 


VERICEPT 


cso 

Custom  Solutions  Grout 


Vericept  solves  these  problems  with 
content-aware  endpoint  protection 
that  enforces  organization-wide 
data  stewardship  policies.  ► 


1 


ADVERTISING  SUPPLEMENT 


Many  firms  look  to  encryption  to  protect  them  from 
exposure  caused  by  lost  or  stolen  laptops.  While 
it  is  an  important  element  of  endpoint  security, 
encryption  is  not  a  comprehensive  solution  on  its 
own.  Encryption  will  not  prevent  authorized  people 
from  inadvertently  or  intentionally  misusing  data 
entrusted  to  them.  A  thorough  approach  to  endpoint 
security  involves  not  only  the  endpoint  devices, 
but  also  organization-wide  policies  and  procedures 
and  accompanying  tools  that  enforce  effective 
data  stewardship.  This  will  ensure  that  sensitive 
information  is: 

►  Only  in  the  hands  of  specifically  authorized 
users 

►  Communicated  only  to  other  authorized  parties 
using  secure  mechanisms 

►  Prevented  from  being  migrated  to  insecure 
locations 

►  Secured  with  safeguards  such  as  encryption 
when  mobility  is  required 

Vericept  enables  organizations  to  create  and 
enforce  links  between  trusted  users  and  the 
various  types  of  content  they  need  to  access  and 
communicate.  Working  through  the  users,  groups, 
and  roles  maintained  in  Active  Directory®,  Vericept 
provides  the  tools  needed  to  implement  policies 
regarding  how  protected  content  is  accessed  and 
communicated  via  email,  instant  messages  (IM), 
webmail,  and  other  protocols. 


How  to  control  an  infrastructure  that  leaves  the 
building  every  night 

Now  that  laptops  outsell  desktops,  the  problem 
is  growing.  If  more  than  half  of  an  organization’s  IT 
infrastructure  is  mobile — at  the  end  of  the  business 
day  or  when  employees  are  remote — what  is  the 
best  way  to  protect  sensitive  data  on  these  endpoint 
systems?  How  can  control  be  gained  without 
impeding  the  flow  of  business? 

Vericept  risk  management  solutions  identify 
sensitive  data  and  how  it  is  being  used  and  deployed. 
Specifically,  Vericept: 

►  Discovers  what  information  is  stored  on  each 
laptop 

►  Sees  how  it  is  being  communicated 

►  Provisions  employees  with  tools  that  enable 
them  to  be  effective  data  stewards,  and  alerts 
management  when  they  are  not 

►  Applies  encryption  and  other  endpoint 
technologies  systematically 

►  Prevents  sensitive  data — even  paraphrases  of 
protected  content — from  being  emailed,  printed, 
changed  or  moved  to  USB  drives,  regardless  of 
whether  laptops  are  on  or  off  the  network 

Insiders  may  put  data  at  risk 

Outsiders  harvesting  sensitive  data  from  stolen 
laptops  are  part  of  the  problem,  but  insiders  can 


HOW  DOES  AN  INFORMATION  LEAK  HAPPEN? 


Employee  emails,  prints 
or  copies  sensitive  files 


Malicious  insider  steals 
data  via  email  or  copy 


Employee  goes  home  with 
sensitive  data  on  laptop, 
which  is  then  lost  or  stolen 


Malicious  outsider 
breaks  in  to  steal  data 


ADVERTISING  SUPPLEMENT 


inadvertently  or  maliciously  misuse  confidential 
information  as  well.  Without  content-aware  security, 
each  laptop  may  contain  gigabytes  of  the  most 
confidential  data,  since  most  organizations  have  few 
controls  over  how  insiders  access  and  communicate 
confidential  information.  The  2006  National  Fraud 
Survey  found  that  internal  attacks  drained  U.S. 
businesses  of  6  percent  of  their  gross  revenue.  Most 
of  that  loss — $348  billion — was  tied  directly  to 
privileged  users.1 

All  data  is  not  created  equal 

Implementing  an  organization’s  security  policies 
should  be  based  on  the  degree  of  confidentiality  of 
its  documents,  records  or  communications — and 
enforced  network-wide,  not  just  on  PCs  and  laptops. 
The  overall  goal  is  effective  stewardship  of  data  at  all 
times,  both  as  data-at-rest  and  data-in-motion. 

Taking  control  of  information  security  depends  on 
knowing  which  data  is  sensitive,  who  is  authorized 
to  access  it,  and  how  they  are  allowed  to  use  it. 
Vericept  enables  organizations  to  create  and  enforce 
appropriate  mappings  between  content  risk — its  degree 
of  confidentiality — and  user  risk — based  on  the  roles 
and  trustworthiness  of  users. 


CONTENT  RISK  USER  RISK 


The  content  side  of  this  map  can  be  represented 
as  concentric  circles  in  which  the  most  sensitive 
information  is  at  the  center,  with  progressively  less 
confidential  information  surrounding  it.  Similarly, 
users  can  be  grouped  with  trusted  insiders  at  the 
center,  ringed  by  employees  who  are  allowed  access  to 
less  confidential  data,  and  the  general  public  around 
the  periphery. 

Vericept  enforces  policies 
linking  content  with  users 

Ensuring  that  only  authorized  users  access  and 
communicate  sensitive  data  depends  on  tools  that 
can  reliably  identify  and  classify  sensitive  data  based 
on  content.  This  capability  is  at  the  core  of  Vericept 
technology.  Vericept  products  can  recognize  customer 
records,  contracts,  protected  health  information, 
business  plans  and  an  organization’s  intellectual 


property — even  paraphrases  of  protected  content. 
Vericept  then  provides  tools  that  enable  organizations 
to  implement  content  security  policies  according  to 
permissions  based  on  users,  groups  and  roles — all 
without  impeding  the  flow  of  business. 

Content  risk  and  user  risk  are  dynamic 
relationships.  Trusted  insiders  can  become 
disgruntled,  leading  to  careless  handling  of 
confidential  information  or  schemes  to  steal 
company  data  or  intellectual  property.  This  is  why 
it  is  important  to  gain  visibility  into  behaviors  that 
suggest  when  employees  are  moving  from  trusted 
to  untrusted  states.  Visibility  provides  opportunities 
to  preemptively  narrow  the  scope  of  what  they  can 
access. 

Four  steps  to  content-aware  security 

1.  Identify  what  data  is 
sensitive  and  who  should 
have  it . 

While  it  is  easy  to  point  to 
certain  folders  and  files  that 
are  confidential,  where  else 
is  that  information?  Vericept 
Discovery  systematically 
finds  sensitive  data  based 
on  the  industry’s  widest 
and  deepest  set  of  content 
detection  methods.  Scanning  servers,  PCs  and 
laptops,  Vericept  Discovery  identifies  data,  documents 
and  communications  that  trigger  “hits”  in  dozens  of 
predefined  and  custom  categories. 

2.  Discover  where  sensitive  data  has  migrated  and 
remove  it  from  places  it  shouldn't  be. 

Once  an  organization  has  established  policies 
linking  content  with  authorized  users,  Vericept 
Discovery  can  investigate  data-at-rest  to  discover 
policy  violations  residing  in  stored  data  on  desktops, 
laptops,  and  file  servers.  Based  on  the  Vericept 
Intelligent  Content  Control  Engine™,  Discovery 
analyzes  data-at-rest  using  Vericept  Risk  Categories 
to  identify  and  capture  corporate  governance  and 
compliance  policy  violations.  This  enables  IT  staff 
to  relocate  files  and  know  that  going  forward,  only 
privileged  users  will  be  able  to  access  sensitive  data. 

3.  Control  how  protected  content  is  communicated  by 
users,  groups  and  roles. 

With  sensitive  data  only  in  the  hands  of 
authorized  users,  the  focus  can  turn  to  making  sure 
that  users  do  not  misuse  it  either  inadvertently  or 
maliciously.  Vericept  can  enforce  policies  such  as: 

►  Contracts  and  RFPs  can  be  sent  only  within 


Privileged 
users  cost  U.S . 
businesses  $348 
billion  in  fraud 
losses  in  2006. 1 


ADVERTISING  SUPPLEMENT 


►  Internet  abuse,  including  exact  screen  captures 
with  to-the-bit  accurate  records  of  web  sites  as 
users  viewed  them 


sales  and  operations  or  to  specific  email 
accounts  of  partner  organizations. 

►  Non-public  financials  can  be  sent  only  within 
accounting  and  finance,  or  to  senior  executives 
and  outside  auditors. 

►  Communications  with  auditors  must  be 
encrypted  and  can  be  sent  only  using  the 
organization’s  email  system — not  via  instant 
messages,  webmail  or  any  other  channel. 

►  All  confidential  business  plans  emailed  outside 
the  company  are  logged,  and  employees  must 
certify  that  each  transmission  meets  the 
organization’s  policies  (of  which  the  system  can 
remind  them). 

►  No  communications  may  comment  on  pending 
mergers  and  acquisitions  or  company  finances, 
or  speculate  on  future  prices  of  the  company’s 
shares. 

►  Assemblers  using  shared  PCs  on  the  factory 
floor  can  access  and  print  engineering 
drawings,  but  only  managers  and  engineers 
who  log  on  to  those  PCs  can  move  drawings  to 
removable  media. 

►  Laptop  users  cannot  email,  print,  move,  change 
or  save  sensitive  data  or  protected  content  onto 
removable  media  unless  specifically  authorized 
— with  each  of  those  actions  reported  back  to 
the  Vericept  Management  Center  when  laptops 
reconnect  to  the  network. 

Restrictive  policies  can  be  set  broadly,  then 
modified  by  permissions  tied  to  users  and  groups. 
Privileges  travel  with  each  user,  overriding  restrictions 
set  for  individual  desktops  so  that  authorized  users 
have  access  to  all  resources  needed  to  perform  their 
work  wherever  it  takes  them. 

4.  Understand  patterns  of  behavior  to  detect  when 
insiders  may  be  moving  from  trusted  to  untrusted 
states. 

If  access  to  sensitive  data  should  be  limited 
when  employees  exhibit  problematic  behavior, 
Vericept  tools  use  multiple  methods  to  detect  signs 
of  trouble  such  as: 

►  Disgruntled  employee  behavior,  including 
unflattering  references  to  the  company  across 
all  forms  of  communication 

►  Discussion  of  gambling,  substance  abuse, 
violence,  criminal  activities  or  hate  speech, 
capturing  full  threads  of  instant  messages 

— Ul 


Most  thefts  of  intellectual  property  involve  some 
degree  of  premeditation  and  planning.  By  providing 
visibility  into  behaviors  that  suggest  when  insiders 
may  no  longer  deserve  the  organization’s  trust, 
Vericept  enables  security  officials  to  preempt  policy 
violations. 


In  a  recent  webcast,1 2  Burton  Group  analyst  Trent 
Henry  examined  how  encryption  technologies  can 
play  a  role  in  endpoint  security  as  information  moves 
beyond  the  enterprise  network:  “Encryption  is  clearly 
of  interest  to  enterprises,”  said  Henry,  adding  that 
“content-aware  endpoint  protection  provides  an 
additional  layer  that  offers  both  preventative  and 
detective  control.” 

Henry  says  that  content  control  solutions  are 
gaining  traction  because  they  catalog  what  is  sensitive, 
index  or  profile  it,  and  then  pay  attention  to  how 
it  flows  across  the  network.  Vericept  fulfills  his 
vision  for  the  role  of  endpoint  content  filtering  as 
“fundamentally  preventative — to  not  allow  sensitive 
information  to  go  where  it  shouldn’t  be  in  the  first 
place,”  and  when  sensitive  data  is  in  the  hands  of 
trusted  insiders,  “to  help  the  user  understand  on 
an  information  level  what  data  is  appropriate  to  go 
elsewhere — and  what  data  should  not.” 

Vericept  products  are  already  providing  content- 
aware  security  for - 

more  than  750  por  more  information,  please 

customers,  including  vjsj,  www.vericept.COm. 

many  Fortune  500 
companies  that 

implement  Data  Leakage  Prevention  Solutions. 

Vericept  detection  methods  identify  structured  and 
unstructured  data,  at  rest  and  in  motion.  Automated 
self-compliance  measures  prevent  inadvertent 
information  disclosures,  and  advanced  tools  enable 
organizations  to  prevent  malicious  disclosures  and 
the  theft  of  intellectual  property.  The  company’s 
comprehensive  solution  for  effective  data  stewardship 
unites  both  network  and  desktop-based  tools  using  a 
common  policy  and  management  layer.  • 


1.  2006  National  Fraud  Survey  conducted  by  The  Association  of 
Certified  Fraud  Examiners. 

2.  Henry ,  Trent,  “Moving  Beyond  Endpoint  Encryption:  Content 
Awareness  for  Mobile  Protection,  ”  Vericept  webcast,  November  8, 
2006. 


A  comprehensive  approach  to  endpoint 
protection  and  data  stewardship 


The  CSO  Executive  Seminar  Series  on 


'  : '  '  y-,"C  ■  / 

•if'.uft. ■ ' \ •'/•'St 

v  -  * 


i 


m 


' 


jfciS 


mfm 

'  '  *  te 


ANAGEMENT 


Register  today  at  www.csoonline.com/conferences . 


The  CSO  Executive  Seminar  on  Identity  Management  will  tackle  this  issue  by 
examining  the  demands  placed  upon  organizations,  and  how  those  demands 
can  be  addressed  with  enterprise  identity  management  solutions.  With  the 
help  of  leading  experts  and  practitioners  we’ll  examine  the  benefits  and 
challenges,  review  an  implementation  case  study,  and  explore  the  business 
case  for  adopting  these  solutions. 


WHO  SHOULD  ATTEND 

CSOs,  CPOs,  CISOs,  Security  &  Privacy 
Protection  Managers,  Legal  Counsels  and 
others  who  are  charged  with  protecting 
documents  and  files  containing  identification 
information. 

Government  and  non-profit  officials  who 
prepare  their  organizations  for  security 
issues. 

BENEFITS  OF  ATTENDING 

A  360  degree  view  of  identity  management 
including: 

•  Key  identity  management  implementations 

•  Building  a  business  case  for  identity  management 

•  Navigating  the  roadblocks  to  success 

Visit  www.csoonline.com/conferences  to  view  the 
entire  agenda. 


SAN  FRANCISCO,  CALIFORNIA 
Thursday,  June  14, 2007 

7:00am-3:30pm 
Ritz  Carlton  Hotel 

NEW  YORK,  NEW  YORK 
Wednesday,  June  20, 2007 

7:00am-3:30pm 
Grand  Hyatt  New  York 

Space  is  limited.  Register  today  at: 
www.csoonline.com/conferences 
or  for  more  information  call 
800.366.0246 


Platinum  Sponsors: 


Entrust  Novell 


Securing  Digital  Identities 
&  Information 


Produced  by: 


CSO 


The  Resource 
for  Security 
Executives 


Machine  Shop 


White  Hats  and 
Black  Boxes 

An  introduction  to  the  murky  science 

of  Web  application  security  By  Simson  Garfinkel 


test  each  of  Yahoo’s  sites.  At  that  rate,  he  said,  it  would 
have  taken  more  than  10  years  to  test  all  of  Yahoo’s 
online  properties— assuming  that  they  never  changed. 
Of  course,  websites  do  change.  And  every  time  a  web¬ 
site  gets  a  significant  makeover  it  has  to  be  retested; 
otherwise  newly  introduced  security  vulnerabilities 
can  go  unnoticed. 

Yahoo’s  systems  were  protected  by  firewalls  and 
other  kinds  of  network  isolation  approaches.  But 
these  technologies  don’t  prevent  most  attacks  aimed 
at  Web  applications.  Firewalls  and  isolated  networks 
prevent  an  attacker  on  the  Internet  from  interacting 
with  a  service.  But  Web  applications,  by  their  very 
nature,  need  to  be  open  to  anyone  on  the  Internet.  If 
a  merchant  were  to  use  its  firewall  to  block  access  to 
its  shopping  cart  system,  then  none  of  the  website’s 
users  would  be  able  to  buy  anything! 

Built  In,  Not  Bolted  On 

Because  you  can’t  protect  Web  applications  with 
a  firewall,  the  only  way  to  protect  them  is  by  build¬ 
ing  the  protection  into  the  application  itself.  This  is 
harder  than  it  sounds,  because 
every  Web  application  has  two 
parts:  the  part  running  on  your 
servers  and  the  part  that’s  run¬ 
ning  inside  your  customer’s  Web 
browser.  Adding  protection  to  the 
Web  application  means  that  the 
developer  needs  to  develop  a  pro¬ 
gram  where  one  half  doesn’t  trust 
the  other  half.  This  is  a  hard  idea 
for  most  developers  to  get  their 
heads  around. 

One  common  vulnerability  on 
the  Web  today  is  something  called 
the  predictable  identifier  vulner¬ 
ability.  What  typically  happens 
is  part  of  the  website  is  set  up  to 
display  information  whenever  a 
Web  browser  asks  for  a  piece  of 
information  using  a  certain  identifier.  For  example, 
one  URL  might  display  a  check  image  when  it  is  pro¬ 
vided  with  an  account  number  and  a  check  number. 
The  developer  might  think  that  this  doesn’t  present 
a  problem  because  anybody  who  knows  the  account 
number  and  the  check  number  should  be  entitled  to 
see  that  check  image.  The  problem  is  that  check  num¬ 
bers  are  predictable— they  are  issued  sequentially.  So 
just  by  trying  different  check  numbers,  a  person  who 
received  one  check  from  a  payee  could  access  all  of  the 
other  checks  that  the  payee  had  written. 


JEREMIAH  GROSSMAN  WANTS  you  to  know  that  firewalls 
and  SSL  encryption  won’t  prevent  a  hacker  from  breaking  into  your 
e-commerce  website,  compromising  your  customers’  data  and  pos¬ 
sibly  stealing  your  money.  That’s  because  most  website  attacks  these 
days  exploit  bugs  in  the  Web  application  itself,  rather  than  in  the 
operating  system  on  which  the  application  is  running. 

Grossman  is  the  founder  and  chief  technology  officer  of  WhiteHat  Security, 
a  Silicon  Valley  firm  that  offers  an  outsourced  website  vulnerability  manage¬ 
ment  service.  Using  a  combination  of  proprietary  scanning  and  so-called  ethi¬ 
cal  hacking,  WhiteHat  assesses  the  security  of  its  clients’  websites,  looking  for 
exploitable  vulnerabilities. 

WhiteHat  does  its  scanning  without  access 
to  the  client’s  source  code  and  from  outside  the 
client’s  firewall  using  the  standard  HTTP  Web 
protocol.  This  approach  is  sometimes  called 
“black  box  testing”  because  the  website’s  con¬ 
tents  are  opaque  to  the  security  assessors.  The 
problem  with  black  box  testing,  of  course,  is  that 
it  is  sure  to  miss  many  vulnerabilities  and  back 
doors  that  are  hidden  in  the  source  code— black 
box  testing  can  only  find  vulnerabilities  that  are 
visible  to  someone  using  your  website.  But  the 
advantage  of  this  approach  is  that  it  precisely 
mimics  how  a  hacker  would  most  likely  conduct 
his  reconnaissance  and  break-in. 

I  met  Grossman  this  past  February  at  the 
RSA  Data  Security  Conference  in  San  Francisco 
and  then  had  a  follow-up  meeting  with  him  in 
early  March.  What  he  told  me  was  not  all  that 
surprising,  but  it  was  tremendously  disturbing  nonetheless.  According  to 
Grossman: 

■  WhiteHat  is  able  to  find  significant  vulnerabilities  in  approximately  80 
percent  of  the  websites  that  it  analyzes. 

■  The  20  percent  that  don’t  have  vulnerabilities  are  usually  just  “brochure- 
ware”— just  a  website  with  no  active  e-commerce  application. 

■  Most  C-level  executives  think  that  firewalls  protect  websites  against  Web- 
application  attacks.  (They  don’t.) 

Before  founding  WhiteHat,  Grossman  spent  two  years  working  in  the 
security  group  at  Yahoo.  It  took  Grossman  and  his  team  roughly  a  week  to 


14  www.csoonline.com  May  2007 


ILLUSTRATION  BY  JOHN  WEBER 


Symantec/Altiris  IBM/Tivoli 

Supercharger 


US  PATENT 


6,604,130  6,801,929 

Inspectors  &  Advisory  Computed-relevance  Msgs 


6,256,664 

Protect  The  Universe  Send  advisories;  det  relev. 


SOFTWARE 

GRAVEYARD 


Australia  PATENT 


New  Zealand 
PATENT 

510258 

The  Basic  Idea 


762054 

The  Basic  Idea 


w  Success  isn’t  a  game.  At 
stake  is  survival.  BigFix  lands  with 
the  only  massively  scalable 
consolidated  IT  platform.  Which 
means  instant, 

single-console  protection 

of  all  your 
PC,  Mac, 
and  Unix 
systems. 
Nobody  else 
can  do  this. 
Everybody  else  is 
trying. 


Patent  Pending 


Patent  Pending 


Canada 


Patent  Pending 


Patent  Pending 


Patent  Pending 


Patent  Pending 


Patent  Pending 


Patent  Pending 


McAfee/Citadel 
Ignores  40%  of 
the  Computers 


Patent 


We’re  playing 
monopoly  for  real. 
Tell  your  leader  to 
schedule  an  ever- 
so-polite  free* 
demonstration 
showing  how  we 
empower  you  at 


Mexico 


Microsoft/SMS 

Supercharger 

Send  SMS  into 
Warp  Drive 


Patent  Pending 


Configuration 


or  call  510-652-6700  x116. 
We’ll  also  send  you  a  color  poster 
of  this  planetary  proclamation. 


US  PATENT 

[Without  this,  you  could 
wait  days  or  weeks  for 
verification] 

6,356,936 

Instant  Advisories 


Patent  Pending 


Policy 

Enforcement 


Never  before  have  so  few  done  so  much,  so  fast,  for  so  many. 


Patent  Infringement 


US  PATENT 
[Without  this,  security 
products  tend  to  have 
terrible  security] 

6,931 ,434 

Secure  Remote  Inspection 


McAfee  EPO  really 
isn’t  Single 
Console  ^ 


THERE’S  A  REASON 
BIGFIX  HAS  TAKEN  OVER 
THE  PLANET! 


acknowledged,  including  Hasbru's  ownership  of  the  Monopoly  brand.  Illustration  by  Daryl  Mandiyk. 

rpnsus  with  tens  of  thousands  of  PC/Mac/Linux/Unix  systems.  Our  prices  are  so  low  that  we  can  t  spend  a  lot  ol  time  selling  smaller  deployments 


McAfee/Hercules 

US  PATENT 

US  PATENT 

Delay  of  Game 

[Without  this,  security 
products  tend  to  have 

$ 

6,263,362 

terrible  security] 

6,879,979 

Terrorists  Win 

Inspectors 

Secure  Network  Inspection 

The  predictable  identifier  vulnerability 
has  shown  up  many  ways  over  time.  Years 
ago  I  remember  one  website  that  sent  its 
customers  a  URL  to  view  their  receipts. 
The  URL  had  a  number  in  it.  By  incre¬ 
menting  the  number,  customers  could  see 
the  receipts  of  other  customers.  And  just  a 
few  months  ago,  WhiteHat’s  security  engi¬ 
neers  discovered  a  website  in  which  users 
of  the  website’s  free  services  could  access 
services  that  were  available  only  to  users 


Protecting  a  Web 
application  means 

program  where  one 
half  doesn’t  trust 
the  other  half. 

with  paid  accounts.  Overall,  says  Gross- 
man,  one  in  four  websites  that  WhiteHat 
has  tested  are  susceptible  to  this  vulner¬ 
ability. 

Another  common  vulnerability  is  the 
so-called  SQL  Injection  Attack.  These 
vulnerabilities  arise  when  information 
provided  by  the  website’s  user  isn’t  prop¬ 
erly  validated  before  being  used  to  create 
a  query  that’s  written  in  the  Structured 
Query  Language,  the  interface  language 
used  by  most  of  today’s  database  systems. 
SQL  injection  attacks  can  be  devastating 
to  both  customer  privacy  and  the  integrity 
of  financial  information.  WhiteHat  has 
found  that  one  in  five  websites  is  vulner¬ 
able  to  this  kind  of  attack. 

Yet  another  vulnerability  is  the  cross¬ 
site  scripting  attack.  These  attacks  are 
made  possible  when  a  Web  application 
accepts  a  message  from  one  user  and  dis¬ 
plays  it  to  another  user  without  proper  fil¬ 
tering.  This  is  a  problem  because  messages 
on  the  Web  can  contain  JavaScript,  and 
JavaScript  is  the  programming  language 
in  which  the  client’s  half  of  a  Web  applica¬ 
tion  is  written.  With  a  cross-site  scripting 
attack,  one  user  can  literally  take  over  a 
second  user’s  account  just  by  sending  that 


user  a  message  and  having  him  read  it. 

Cross-site  scripting  attacks  have  shown 
up  on  websites  where  users  can  send 
each  other  messages  (like  LiveSpace  and 
Linkedln),  websites  where  users  can  post 
content  (like  eBay  and  Wikipedia)  and 
even  websites  that  let  users  upload  data¬ 
bases  of  links  (because  URLs  can  contain 
JavaScript).  Seven  in  10  websites  are  vul¬ 
nerable  to  this  attack,  Grossman  says. 

There  are  two  ways  to  address  system¬ 
atic  problems  like  predictable  IDs,  SQL 
injection  and  cross-site  scripting.  The  first 
is  developer  training— teach  developers  to 
write  bug-free  code.  Grossman  believes 
this  is  a  best  practice,  but  cautions  that  it 
won’t  have  a  significant  impact  for  several 
years  to  come.  The  reason  is  that  large 
companies  that  have  hundreds  of  develop¬ 
ers  have  a  high  turnover  rate,  so  they  will 
be  playing  catch-up  for  a  while  to  come. 
Just  one  bug  can  render  an  entire  website 
vulnerable. 

The  second  security  approach  is  to 
rewrite  legacy  Web  applications  with  mod¬ 
ern  developer  tools— tools  that  are  less 
susceptible  to  these  kinds  of  problems. 

Platform  Diving 

From  his  vantage  point  at  WhiteHat, 
Grossman  has  seen  several  organizations 
migrate  websites  from  Microsoft’s  origi¬ 
nal  ASP  to  ASP.NET.  “ASP  classic,  the  first 
generation  of  ASP  websites,  are  generally 
riddled  with  vulnerabilities,”  he  says.  But 
when  these  organizations  rewrote  their 
applications  using  ASP.NET,  suddenly 
their  applications  improved  tremendously 
securitywise.  “Same  developers,  two  dif¬ 
ferent  frameworks.  It  wasn’t  an  education 
problem,  it  was  a  technology  problem.” 

The  newer  platforms  are  more  secure 
than  the  old  ones  because  the  framework 
provides  native  secure  libraries  and  APIs 
for  account  management,  log-in/log-out, 
session  handling,  input  validation  and  so 
on.  It’s  also  important  for  a  company  to 
standardize  on  a  single  application  devel¬ 
opment  system.  That  way  the  company 
can  build  up  in-house  expertise,  rather 
than  approaching  each  new  project  like  a 
novice. 


Other  companies  have  significant 
problems  with  process.  For  example, 
WhiteHat’s  scanner  will  sometimes  find 
a  vulnerability  the  first  time  the  site  is 
scanned  but  not  find  it  the  second  time. 
“Our  systems  figured  they  fixed  it  and 
closed  the  ticket.”  But  on  a  third  scan  the 
vulnerability  sometimes  comes  back. 

In  a  case  like  this,  WhiteHat  will  call  the 
customer.  The  developers  look  at  their  Web 
servers  and  say  the  vulnerability  doesn’t 
exist.  And  indeed,  on  some  scans  the  vul¬ 
nerability  is  there,  and  on  some  it  isn’t! 

“We  call  it  vulnerability  clapping,” 
explains  Grossman.  “Many  websites  have 
load-balanced  systems”  behind  a  single 
URL.  Each  of  these  systems  is  supposed 
to  be  running  exactly  the  same  code,  but 
sometimes  they  aren’t.  “Some  systems 
will  be  hot-fixed,  and  some  won’t,”  he  says. 
These  bugs  are  very  hard  to  find  because 
they  require  customers  to  examine  each 
of  their  supposedly  “identical”  Web  serv¬ 
ers  for  differences. 

At  another  company— a  financial  insti¬ 
tution— WhiteHat  discovered  an  easily 
exploited  vulnerability  that  would  have  let 
customers  steal  money.  WhiteHat  called 
up  the  company  and  the  problem  was  hot- 
fixed  within  24  hours.  But  a  few  months 
later,  the  vulnerability  came  back. 

“The  developers  were  working  on  the 
next  release,  set  to  come  out  in  two  to 
three  months.  Some  developer  did  not 
back-port  the  hot-fix  from  the  production 
server  to  the  development  server.  So  when 
the  push  occurred  three  months  later,  they 
pushed  the  vulnerability  again.”  Ugh! 

I’ve  never  been  a  big  fan  of  penetration 
testing,  but  the  two  hours  that  I  spent 
talking  with  Grossman  convinced  me  that 
it’s  a  necessary  part  of  today’s  e-commerce 
websites.  Yes,  it  would  be  nice  to  eliminate 
these  well-known  bugs  with  better  coding 
practices.  But  we  live  in  the  real  world.  It’s 
better  to  look  for  the  bugs  and  fix  them 
than  to  simply  cross  your  fingers  and  hope 
that  they  aren’t  there.  ■ 


Simson  Garfinkel,  CISSP,  is  researching  computer 
forensics  and  human  cognition  at  Harvard  University. 
Send  feedback  to  machineshop@cxo.com. 


16  www.csoonline.com  May  2007 


i 

Passion  is  going  above  and  beyond. 

Passion  is  always  being  there  for  our  clients. 

It’s  more  than  a  job.  It’s  our  obsession. 

LURHQ  and  SecureWorks  have  merged  to  become  the  most  effective  managed  security  services  provider. 
Get  more  info  at:  http//www.secureworks.com  I  877.905.6661  I  info@secureworks.com 

Security  Device  Management  I  Enterprise  Security  Monitoring  I  Security  Information  and  Event  Management 
Vulnerability  Scanning  I  Threat  Intelligence  I  Professional  Services  I  E-mail  Encryption 


Cover  Story 


Big  pharma’s  RFID  trials  aim  to  keep  fake 
drugs  out  of  your  medicine  cabinet— but  the 
technology  has  significant  limitations 

By  Sarah  D.  Sea  let 


over  two  years  now,  every  single  bottle  of  OxyContin 


that’s  bound  for  either  Wal-Mart,  the  world’s  largest  retailer,  or  H.D.  Smith,  a  midsize  drug 
wholesaler,  has  been  slapped  with  a  special  label  that’s  hailed  as  the  solution  to  the  world’s 
counterfeit  drug  problem. 

Hidden  inside  each  ordinary-looking  label  is  a  radio  frequency  ID  tag  that  is  supposed 
to  allow  Purdue  Pharma,  manufacturer  of  the  controversial  painkiller,  to  track  the  drug’s  progress 
throughout  the  supply  chain— regardless  of  how  many  pills  are  poured  into  how  many  bottles  and 
stacked  into  how  many  cardboard  boxes  whizzing  by  on  a  conveyor  belt.  The  idea  is  that  distributors 
could  quickly  scan  all  their  bottles  of  OxyContin,  learn  the  complete  provenance,  or  “pedi¬ 
gree,”  of  each  one,  and  reject  any 
that  could  not  be  traced  back  to 


IN  THIS  STORY  A  window  into  a  leading  industry’s  use  of 
RFID  technology  ■  How  RFID  technology  can  and  cannot  stop 
counterfeit  drugs  ■  Why  the  industry  has  not  gotten  further  with 
its  efforts  to  trace  drugs  back  to  the  manufacturer 


Purdue. 

“It’s  efficient,  it’s  accurate,  it 


18  www.csoonline.com  May  2007 


ILLUSTRATION  BY  BRIAN  STAUFFER 


Cover  Story  |  Supply  Chain  Security 


does  what  we  want  it  to  do  from  a  security 
perspective,  and  it  doesn’t  bog  down  the 
distribution  system,”  says  Aaron  Graham, 
VP  and  CSO  of  Purdue  Pharma,  adding  that 
the  infrastructure  investment  for  the  pilot 
project  was  $2  million  and  each  tag  costs 
between  30  and  50  cents. 

If  what  Graham  is  saying  sounds  familiar, 
right  down  to  the  numbers  he  cites,  that’s 
because  he’s  been  saying  the  same  thing  for 
years.  Yet  even  now,  he  can  offer  remarkably 
little  detail  about  how  the  system  has  pre¬ 


vented  counterfeit  OxyContin  from  being 
sold.  Purdue,  after  all,  has  never  had  a  prob¬ 
lem  with  counterfeit  OxyContin.  What  the 
company  has  had  instead  is  a  problem  with 
stolen  and  diverted  OxyContin,  along  with 
pressure  from  the  government  to  get  better 
control  over  a  highly  addictive  drug  that  has 
received  much  more  media  attention  for  its 
abuse  than  its  use. 

Indeed,  Graham  acknowledges  that  the 
main  security  advantage  of  Purdue’s  RFID 
system  is  that  investigators  can  scan  a 


seized  bottle  or  box  of  OxyContin  and  pin¬ 
point  exactly  where  it  came  from.  To  really 
stop  counterfeit  drugs,  Graham  says,  would 
require  a  central  information  clearinghouse 
where  every  distributor  and  pharmacy 
checked  and  validated  the  pedigree  of  every 
drug— a  far  more  complex  task  than  track¬ 
ing  one  type  of  drug  going  to  two  different 
outlets,  as  Purdue  is  doing. 

The  need  to  prevent  counterfeit  drugs 
from  being  introduced  into  the  legitimate 
supply  chain  is  acute.  The  World  Health 
Organization  has  said  that  counterfeit 
drugs  represent  more  than  10  percent  of 
global  sales,  and  they  are  responsible  for 
some  thousands  of  deaths  each  year.  The 
problem  is  that  decades  after  RFID  tech¬ 
nology  was  invented,  and  years  after  the 
U.S.  Food  and  Drug  Administration  started 
touting  it  as  the  most  promising  way  to 
authenticate  drugs,  RFID  technology  as  an 
anticounterfeiting  technology  remains  just 
that:  “promising”— yet  far  from  proven. 

Even  as  companies  like  Purdue  continue 
to  test  the  use  of  RFIDs,  it  remains  unclear 
whether  the  technology  can  ever  live  up  to 
its  promises— not  only  in  the  pharmaceuti¬ 
cal  industry,  which  is  at  the  leading  edge 
of  testing  this  much-hyped  technology,  but 
also  anywhere  else.  The  reasons  why  go  far 
beyond  the  technology,  standards  and  pri¬ 
vacy  issues  that  are  most  often  raised,  and 
into  the  very  nature  of  what  RFID  simply 
is  and  isn’t,  and  what  it  will  or  won’t  ever 
be  able  to  deliver  to  any  anticounterfeiting 
program. 

“We  see  this  in  other  areas  of  security,” 
says  Roger  Johnston,  team  leader  of  the 
Vulnerability  Assessment  Team  at  Los  Ala¬ 
mos  National  Laboratory,  who  has  done 
extensive  research  on  RFID  technology  and 
concluded  that  it  may  not  offer  any  better 
security  than  ordinary  bar  codes.  “Provid¬ 
ing  good  security  is  a  tough  challenge,  and 
people  are  looking  for  silver  bullets,”  he  says. 
“The  problem  is  that  if  you  simply  take  an 
RF  tag,  slap  it  on  and  think  somehow  it’ll 
magically  provide  security,  you’d  be  quite 
mistaken.” 

Why?  Here  are  five  reasons.  Behind  each 
myth,  as  you’ll  see,  is  a  much  smaller  dose 
of  reality. 


Legislative 

Tangle 

While  the  federal 
government’s  push  to  trace 
the  movement  of  drugs 
has  been  slowed,  several 
states  have  stepped  in 
with  rules  of  their  own 

Late  last  November,  the  U.S.  Food 
and  Drug  Administration’s  attempts 
to  require  the  pharmaceutical  indus¬ 
try  to  establish  electronic  pedigrees— 
documents  that  trace  the  movement  of 
drugs  throughout  the  supply  chain— hit 
yet  another  roadblock.  A  district  court  in 
New  York  enjoined  the  government  from 
enforcing  a  portion  of  the  Prescription 
Drug  Marketing  Act  (PDMA),  the  law  that 
allows  the  FDA  to  implement  pedigree 
requirements. 

The  lawsuit,  filed  by  several  secondary 
wholesalers,  has  to  do  with  whether  a 
drug’s  pedigree  must  extend  back  to  the 
manufacturer  or  only  to  the  most  recent 
“authorized  distributor  of  record.”  The 
plaintiffs  claim  that  having  to  trace  drugs 
back  to  the  manufacturer  would  effec¬ 
tively  put  them  out  of  business.  The  FDA 
has  appealed  the  decision. 

"We  view  the  effort  to  implement 
widespread  use  of  electronic  pedigrees 
as  somewhat  separate  from  the  PDMA,” 
says  llisa  Bernstein,  the  FDA’s  director  of 


pharmacy  affairs.  “What  [the  lawsuit]  does 
affect  is  the  information  that’s  on  the  pedi¬ 
grees  that  are  required  to  be  passed  today.” 

At  the  same  time,  however,  the  FDA 
pushed  back  its  December  2006  target 
date  for  when  electronic  pedigrees  must 
be  implemented.  "Back  in  2003  and  2004, 
wholesalers,  pharmacies  and  manufactur¬ 
ers  told  us  ‘RFID  is  promising;  we’re  going 
to  have  widespread  use  of  track  and  trace 
by  2007,'”  Bernstein  says.  Now,  the  FDA 
is  leaving  it  up  to  private  industry  to  say 
when  e-pedigrees  will  be  fully  imple¬ 
mented. 

Meanwhile,  several  states  have  taken 
matters  into  their  own  hands.  Carmen 
Catizone,  executive  director  of  the 
National  Association  of  Boards  of 
Pharmacies,  is  watching  three  states 
in  particular: 

California  has  passed  a  law  requir¬ 
ing  electronic  pedigrees,  using  RFID 
technology,  beginning  in  2008.  Catizone 
says  that  the  law  has  run  into  serious 
resistance,  due  to  industry  complaints 
that  the  technology  is  not  ready  and  also 
is  too  expensive. 

Florida  has  passed  a  law  that 
requires  paper  or  electronic  pedigrees  for 
all  prescription  drugs.  However,  Catizone 
says,  it  applies  only  to  secondary  whole¬ 
salers  rather  than  the  main  supply  chains. 

Oklahoma  has  passed  legislation 
involving  drug  pedigrees  but  is  just  start¬ 
ing  a  task  force  that  will  decide  how  to 
implement  the  law.  -S.D.S. 


20  www.csoonline.com  May  2007 


Myth  RFID  tags  are 

1  anticounterfeiting 
devices. 

Call  up  most  pharmaceutical 
companies  and  ask  to  speak  with  the  group 
most  involved  in  testing  RFID  technology, 
and  chances  are  good  the  security  depart¬ 
ment  will  not  answer  the  phone.  Consider 
the  RFID  efforts  currently  under  way  at  the 
country’s  three  largest  drug  wholesalers.  At 
McKesson,  the  RFID  initiative  falls  under 
the  pharmaceutical  distribution  business. 
At  AmerisourceBergen,  the  point  person 
is  in  “integrated  solutions,”  which  encom¬ 
passes  the  testing  and  implementation  of 
new  technologies.  And  at  Cardinal  Health, 
the  task  falls  to  healthcare  supply  chain 
services,  which  is  part  of  operations.  That’s 
because  an  RFID  tag  is  first  and  foremost  a 
tracking  device,  not  a  security  one. 

Even  the  manufacturers  of  the  RFID 
tags  themselves,  Johnston  likes  to  grouse, 
are  not  security  companies.  “They’re  made 
by  semiconductor  companies  for  inventory 
purposes,”  he  says. 

True,  an  RFID  tag  has  potential  as  a 
security  device,  when  it’s  incorporated  into 
a  larger  scheme.  But  it’s  not  an  anticounter¬ 
feiting  device  in  the  way  that,  say,  a  holo¬ 
gram  label  is  supposed  to  be.  An  RF  reader 
cannot  simply  read  information  on  an  RF 
tag— even  an  encrypted  one— and  provide 
its  owner  assurance  that  the  product  is 
authentic.  RFID  technology  is  either  a  way 
of  facilitating  the  documentation  required 
to  create  a  drug’s  electronic  pedigree  (the 
record  of  a  drug’s  journey  through  the  sup¬ 
ply  chain),  or  a  component  of  a  much  more 
complicated  system  known  as  track  and 
trace,  which  involves  communication  with 
the  drug’s  source,  or  someone  who  knows  it. 
Which  brings  us  to  point  number  two. 


Myth 

2 


RFID  technology  is 
necessary  to  track 
the  movement  of 
legitimate  drugs. 


At  AmerisourceBergen,  a  complex  track-and- 
trace  pilot  project  is  under  way  that  would 
allow  the  $61  billion  distributor  to  check 


the  source  of  any  drugs  that  pass  through 
its  distribution  facility  in  Sacramento,  Calif. 
Funny  thing  is,  RFID  technology  is  just  one 
tiny  piece  of  the  project— the  one  that  (hope¬ 
fully)  makes  it  operate  quickly,  rather  than 
securely.  The  component  of  the  technology 
that  actually  authenticates  drugs  is  a  reg¬ 


istry  handled  by  VeriSign,  which  is  known 
mostly  for  its  digital  certificate  products. 

Shay  Reid,  AmerisourceBergen’s  vice 
president  for  integrated  solutions,  explains. 
Drugs  that  have  RFID  tags  are  read  with 
an  RF  reader,  but  the  crucial  part  from  a 
security  standpoint  is  what  happens  next: 


PHOTO  BY  JEFF  WEINER 


May  2007  www.csoonline.com  21 


ADVERTISEMENT 


Hackistan 
rated  best 
place  to  live  by 

CNN  poll. 


t  , 

^  koH* 

5ICV.M. 


No  wonder  thousands  of  developers 
are  flocking  to  Hackistan.  We  came 
out  ahead  of  the  United  States, 
France,  Italy  and  even  Armpitia  as  the 
world’s  best  place  to  live  and  work. 

Join  your  colleagues  who  are  living  their 
dream  lives  in  Hackistan.  Feel  the  glory  of 
our  entire  nation  as  you  hack  into  large 
corporations  and  governments  and  help 
us  crush  the  code  imperialists  at  Fortify, 
keeping  the  world’s  software  vulnerable. 

Qualifications? 

We  accept  only  the  finest: 

Can  you  hack  into  an  application 
that  Fortify  claims  has  been  secured 
throughout  its  entire  life  cycle? 

Can  you  plant  logic  bombs  where 
the  overrated  Fortify  SCA  has  been 
deployed? 

Do  you  know  when  to  quit  trying 
to  hack  into  companies  that  pen 
test  with  Fortify  Tracer  and  when  to 
spend  your  time  on  easier  targets,  like 
the  encryption  at  Swiss  banks? 

Can  you  trick  the  canny  Fortify 
Defender  when  it’s  used  to  protect 
and  monitor  a  web  application? 


Interested?  Learn  more  at 
www.discoverhackistan.com. 

Not  ready  to  give  up  your  crappy  $2,500  a 
month  studio  apartment  and  take-out  burrito 
diet?  Then  stay  in  your  job  and  support 
our  peace-loving  cyberterrorist  activities 
by  contributing  the  most  vulnerable  code 
you  can  write. 


WWW.FORTIFYSOFTWARE.COM 


■DRTIFY’ 


Cover  Story  |  Supply  Chain  Security 


two-way  communication.  “If  I  am  the 
rightful  owner,  and  VeriSign  can  verify 
that  I  did  receive  [the  product]  from  an 
upstream  trading  partner,  then  they’ll  give 
me  a  certification  number  that  allows  me  to 
further  distribute  the  product  downstream,” 
Reid  says.  “If  they  can’t  verify  that  I  am  the 
rightful  owner,  then  the  transaction  will  be 
refused.” 

Here’s  the  catch:  Typically,  products  that 
are  marked  with  RFID  tags  are  also  marked 
with  a  2-D  bar  code,  which  is  similar  to  a  tra¬ 
ditional  bar  code  but  carries  more  informa¬ 
tion.  “The  2-D  is  the  backup,”  Reid  explains. 

That’s  because  the  most  common  com¬ 
plaint  about  RFID  tags  is  that  they’re  flaky. 
Read  rates  as  low  as  70  percent  have  been 
reported,  and  accuracy  can  be  especially 
difficult  when  liquid  medicine  or  foil  wrap¬ 
ping  is  involved.  (To  be  fair,  RFID  technol¬ 
ogy  has  come  a  long  way  in  the  past  couple 
years,  and  tests  of  the  latest  tags  are  much 
more  encouraging.  Cardinal  Health  reports 
that  its  latest  tests  showed  99  percent  accu¬ 
rate  read-rates  and  no  ill  effect  from  liquids 
or  foils.) 

For  now,  however,  the  2-D  bar  code  is 
generally  considered  a  more  reliable  marker 
than  the  RFID  tag— albeit  one  that  takes 
longer  to  read,  because  it  can’t  be  scanned 
through  packaging  material  using  radio 
waves. 

The  crucial  point  of  either  marking 
mechanism  is  that  each  container  be  labeled 
with  a  unique,  serialized  number.  That  way, 
once  bottle  #1894892432  has  been  received 
by  a  pharmacy  in  Silver  City,  N.M.,  a  bottle 
with  #1894892432  can’t  also  be  authen¬ 
ticated  by  a  pharmacy  in  Brunswick,  Md. 
Otherwise,  counterfeiters  could  simply 
churn  out  fake  RF  tags— or  2-D  bar  codes, 
for  that  matter— as  easily  as  they  churn  out 
fake  drugs,  and  there  would  be  no  central 
clearinghouse  identifying  the  duplicates. 


RFID  technology 
can  be  used  to  mark 
pills,  tablets  and 
elixirs  themselves. 

When  RFID  boosters  praise  the  technology 
as  the  solution  to  counterfeit  drugs,  here’s 

22  www.csoonline.com  May  2007 


one  objection  that  Novartis’s  James  Chris¬ 
tian  is  quick  to  raise:  No  one  is  marking 
drugs,  only  the  packaging. 

“We  have  had  experience  with  coun¬ 
terfeit  product  in  genuine  packaging,  and 
genuine  product  in  counterfeit  packaging,” 
says  Christian,  who  is  CSO  of  the  $37  bil¬ 
lion  company  based  in  Basel,  Switzerland, 
which  manufactures  a  variety  of  prescrip¬ 
tion  and  over-the-counter  drugs.  “The 
packaging  isn’t  what’s  important.” 

What’s  more,  he  says,  pharmaceutical 
products  are  routinely  and  legally  repackaged 
in  both  the  United  States  and  the  European 
Union.  “If  a  pharmaceutical  company  invests 
a  great  deal  of  money  into  putting  security 
devices  in  packaging,  the  product  could  eas¬ 
ily  be  transferred  legally  to  a  package  with  no 
security  device,”  he  says.  “And  now  someone 
has  a  collection  of  genuine  packaging  with 
security  devices  that  they  might  throw  away 
or  use  in  another  manner.” 

In  Christian’s  opinion,  at  least,  changing 
the  rules  that  govern  how  legitimate  drugs 
are  distributed  could  be  more  effective 
than  using  RFID  technology  in  defeating 
counterfeit  drugs.  This  could  mean  chang¬ 
ing  repackaging  laws  or  increasing  penal¬ 
ties  for  counterfeiters.  Whether  any  of  this 
would  be  easier  to  accomplish,  though,  is 
anyone’s  guess. 


Myth  RFID  technology 

4  will  let  consumers 
verify  that  they 
have  purchased 
legitimate  products. 

The  ultimate  goal  of  using  RFID  technology 
as  part  of  an  electronic  pedigree  or  track- 
and-trace  program  is  to  allow  customers 
to  know  that  the  drugs  they  have  in  their 
medicine  cabinet  are  authentic  ones.  “The 
benefit  is  at  the  consumer  end— knowing 
that  the  product  you’re  getting  came  from 
where  it  should  have  come  from,”  says  Julie 
Kuhn,  vice  president  of  operations,  health¬ 
care  supply  chain  services  at  Cardinal 
Health,  the  $81  billion  wholesaler  based  in 
Dublin,  Ohio. 

Yet  no  one— not  the  FDA,  and  not  any  of 
the  pilot  programs  being  done  by  the  private 


sector— is  actually  proposing  a  way  for  con¬ 
sumers  to  validate  the  products.  In  fact,  it 
seems  likely  that  RFID  tags  will  be  disabled 
before  the  drugs  reach  consumers’  hands. 
This  is  largely  because  of  privacy  concerns 
that,  say,  stores  could  use  the  information 
on  RFID  tags  to  know  what  bottle  of  pills  a 
customer  has  in  his  backpack. 

Even  if  the  United  States  does  eventu¬ 
ally  have  a  track-and-trace  program  that 
relies  on  RFID  technology,  ultimately  the 
consumer  will  still  be  relying  on  something 
as  old-fashioned  as  an  ice-cream  soda:  trust 
in  the  local  apothecary. 

“Patients  put  trust  in  the  states  licens¬ 
ing  the  pharmacies,  and  that  pharmacists 
are  only  buying  legitimate  products,”  says 
Carmen  Catizone,  executive  director  of  the 
National  Association  of  Boards  of  Phar¬ 
macies.  “But  right  now,  they  can’t  do  that, 
because  they  don’t  have  a  pedigree”  of 
where  the  drug  came  from. 

Myth  The  pharmaceutical 

5  industry  is  this 

close  to  widespread 
RFID  adoption. 

Given  all  these  challenges  and  limitations, 
it  may  come  as  no  surprise  that  the  move 
to  implement  RFID  technology  to  secure 
the  nation’s  drug  supply  has  hit  some  speed 
bumps,  years  after  it  was  first  promoted  as 
the  Next  Big  Thing  for  pharma.  The  FDA, 
after  delaying  for  years  the  deadline  for 
when  the  industry  should  have  electronic 
pedigrees  in  place— ones  that  it  says,  most 
likely,  will  rely  on  RFID  technology— 
recently  announced  its  biggest  delay  of  all: 
It  was  giving  up  on  setting  a  deadline. 

Back  in  2004,  explains  Ilisa  Bernstein, 
the  FDA’s  director  of  pharmacy  affairs,  “we 
thought  there  would  be  widespread  use  by 
2007.  We’re  not  there.  So  rather  than  set¬ 
ting  another  deadline,  we’re  leaving  it  to  the 
stakeholders  themselves  to  come  up  with  a 
deadline.”  (An  injunction  of  the  Prescrip¬ 
tion  Drug  Marketing  Act,  the  1987  law  that 

' 

allows  the  FDA  to  set  this  regulation,  has 
not  helped.  For  more,  see  “Legislative  Tan¬ 
gle”  on  Page  20.) 

Still,  the  FDA  continues  to  say  (as  it  has 


Discuss  RFID  in  the 
drug  industry  on 
CSOonline.com 

Have  a  question  about 
the  legal  requirements 
for  RFID  and  e-pedigree 
in  the  pharmaceutical 
supply  chain?  Jayne  Juvan, 
an  attorney  at  Benesch 
Friedlander  Coplan  & 
Aronoff  in  Cleveland,  is 
available  to  answer  reader 
questions  throughout  May. 
Juvan  specializes  in  the 
healthcare  industry  and 
represents  pharmaceutical 
companies  throughout  the 
supply  chain,  as  well  as 
hospitals,  physician  groups 
and  other  related  services. 


for  years)  that  RFID  technology  is  the  “most 
promising”  means  of  authenticating  drugs. 

“We  keep  saying  this  is  a  promising  solu¬ 
tion,”  Bernstein  says.  “We  want  to  say  that 
this  is  a  solution,  but  we’re  not  there  yet 
because  people  haven’t  adopted  it.  There’s 
a  lot  of  work  going  on  behind  the  scenes, 
but  you  have  to  cross  over  the  line  and  just 
jump  right  in  and  start  doing  it.” 

In  the  end,  it  may  turn  out  that  both  the 
RFID  boosters  and  the  naysayers  are  right: 
RFID  technology  may  in  fact  be  the  most 
promising  way  to  mitigate  an  unsolvable 
problem.  But  only  time  will  tell. 

“We  need  more  customer  validation  of 
the  solutions  that  are  being  used  today,” 
says  Michael  Liard,  a  research  director  at 
ABI  Research  who  studies  RFID.  “If  com¬ 
panies  are  finding  ROI  or  business  benefits, 
they’re  hard-pressed  to  share  those  because 
those  are  now  sources  of  competitive  differ¬ 
entiation.  So  getting  them  to  communicate 
the  benefits  that  they’re  realizing  is  a  chal¬ 
lenge  that  we’re  going  to  have  to  address  as 
an  industry.”  ■ 

Send  feedback  to  Senior  Editor  Sarah  D.  Scalet  at 
sscalet@cxo.com. 


May  2007  www.csoonline.com  23 

_ _ 


> 

.  ..  .  v,  ■  :  ■  v,  ■  < u 

Q  u  ill 

ADVERTISEMENT 

•  ••  •  •;  ■ 

-  Attention  — 

READERS OF  CSO 

MAGAZINE: 

— 

A  MESSAGE  OF 
HOPE  TO  ABUSED 
AMERICAN 
DEVELOPERS 


Zorkul,  the  lifetime  despot  of 
Hackistan,  and  Queen  Zalpurnia  — 
his  trusted  companion  and  innovator 
of  painful  interrogation  techniques  — 
welcome  America’s  most  brilliant  developers. 

1  .eave  yc >ur  abusive  and  ungrateful  b(  >sses! 
Live  large  in  a  villa  overlooking  the  majestic 
Degradovad  landfill,  only  a  ten-minute 
commute  in  our  vak-H(  )V  lane.  And  you  can 
hack  after  hours  and  keep  the  profits. 

Our  humble  nation  seeks  only  to  crush 
the  code  imperialists  at  Fortify  so  that  the 
world’s  software  remains  vulnerable  to  our 
hackers. 


Can  you  hack  into  an  application 
that  Fortify  claims  has  been  secured 
throughout  its  entire  life  cycle? 

Can  you  plant  logic  bombs  where 
the  overrated  Fortify  SCA  has  been 
deployed? 

Do  you  know  when  to  quit  trying 
to  hack  into  companies  that  pen 
test  with  Fortify  Tracer  and  when  to 
spend  your  time  on  easier  targets,  like 
the  encryption  at  Swiss  banks? 

Can  you  trick  the  canny  Fortify 
Defender  when  it’s  used  to  protect 
and  monitor  a  web  application? 


If  you’ve  answered  yes,  visit 

www.discoverhackistan.com. 

.  :'-A  <  L 

What’s  more,  ours  is  the  only  nation  to  offer 
developers  a  501  (k)  plan.  Rnjov  the  security 
of  being  fully  vested  from  the  moment 
you  assume  the  identity  of  a  former  Nigerian 
finance  minister. 

_  _  ■  -  ■:  F :■■■* C 

1SE*  ' 

WWW.FORTIFYSOFTWARE.COM  Fortify 

.^SOftWMt 

■  '(i 


QYAM 
TV  R  BAS  IN 
POMPEIIS 
ANT1QVIS 
MODEtlARE 

(or,  Howto 
Control  Crowds 
in  Ancient 
Pompeii) 

What  computer  models  are  telling 
us  about  how  to  manage  a  crowd, 
the  ancient  Romans  already  seemed 
to  know  By  Scott  Berinato 

In  ancient  Pompeii,  if  you  walk  northeast  along  the  wide 
Via  dell’Abbondanza,  then  cut  right  onto  the  narrower  Via 
Nocera  for  a  block,  then  turn  left  onto  Via  di  Castricio,  you’ll 
approach  the  southeastern  corner  of  the  city,  where  the  road 
again  opens  wide  to  the  Anfiteatro,  Pompeii’s  stadium,  pre¬ 
served  remarkably  well  by  the  thick  blanket  of  Vesuvian  ash  that 
covered  it  for  about  1,700  years. 

When  G.  Keith  Still  took  this  walk  for  the  first  time  nearly  11 
years  ago  and  went  inside  the  stadium,  he  sensed  a  paradox.  In 
many  ways  it  felt  just  like  modern  stadiums.  That’s  not  surprising; 


sical  Greek  and  Roman  architecture. 

But  at  the  same  time,  Still,  a  world-leading  expert  on  crowd 
management  who  has  consulted  on  some  of  the  biggest  crowd- 
control  events  in  the  world,  including  the  Haj  pilgrimage  to  Mecca 
and  the  upcoming  Beijing  Olympics,  felt  something  different  from 
today’s  stadiums  at  Pompeii.  “Everything  seemed  so  much  easier,” 
he  says.  “There  was  enough  space  for  everyone.  Entrance  and  exit 
were  simple,  elegant.  It  wasn’t  just  a  stadium,  it  was  an  integrated 
part  of  the  city  design.” 


24  www.csoonline.com  May  2007 


In  Campania  near  modern  Naples,  Pompeii  and  the  nearby 
seaside  fishing  town  Herculaneum  were  popular  retreats 
for  wealthy  Romans,  like  an  ancient  Martha’s  Vineyard  and 
Nantucket.  A  major  earthquake  rocked  the  city  in  February 
A.D.  62.  Pompeii  was  still  rebuilding  in  A.D.  79  when 
Vesuvius  erupted,  burying  both  Herculaneum  and  Pompeii 
until  they  were  rediscovered  in  the  18th  century  Pompeii’s 
amphitheater  is  considered  one  of  the  best- preserved 
architectural  artifacts  from  ancient  Rome. 


ILLUSTRATION  BY  MATTHEW  COOK 


From  a  crowd  management  perspective,  Still  says,  Pompeii’s  sta¬ 
dium  is  an  excellent  design,  and  one  worth  learning  from.  Of  course, 
Still  understands  that  modern  facilities  are  looking  at  economic 
payback  and  long-term  sustainability  and  because  of  that  often 
work  with  limited  space.  Still  argues,  however,  that  facilities  are 
designed  to  maximize  profit  at  the  expense  of  creating  safe  crowd 
conditions.  “They  don’t  design  for  the  safe  movement  of  people,” 
he  says.  “Architects  borrow  from  history.  They  co-opt  features 
of  ancient  facilities  without  understanding  the  broader  context. 
They’ll  spend  years  studying  design  and  structures  and  spend  a 

May  2007  www.csoonline.com  25 


Crowd  Management 


couple  of  weeks  on  crowds.  They  say  ‘Let’s  put  it  here,  then  figure 
out  how  to  get  people  in  and  out.’  There’s  scope  for  improvement, 
we’ll  put  it  that  way.” 

Improvement  can  come  from  studying  sites  like  Pompeii,  Still 
says,  and  then  trying  to  balance  the  profit  motive  with  some  of 
the  ancient  stadium’s  crowd  management  features  that  can  sig¬ 
nificantly  reduce  the  risk  of  often  tragic  and  too-common  security 
events— crowd  disasters. 

Stampedes,  crushes,  riots.  In  crowds,  trivial  events  can  have 
tragic  consequences.  In  a  Chinese  school  last  year,  a  child  stop¬ 
ping  in  a  stairwell  to  tie  his  shoe  spurred  a  crush  that  killed  six. 
The  belligerent  few  can  sway  thousands  of  normally  well-behaved 
individuals  to  riot,  as  soccer  hooligans  in  Italy  did  earlier  this  year. 
Still  shows  video  from  an  outdoor  rock  concert  in  which  a  few  kids 
dancing  fall  down  and  cause,  in  seconds,  a  wave  of  hundreds  of  col¬ 
lapsing  bodies,  as  if  cuffed  by  the  hand  of  an  invisible  giant. 

Crowd  behavior  can  be  so  distinct  from  individual  behavior  that 
the  crowd  is  thought  of  as  one  thing,  a  kind  of  superorganism  with 
its  own  psychology.  Back  when  Pompeii’s  amphitheater  still  hosted 
gladiatorial  spectacles,  Titus  Livius  (Livy)  complained  that  crowds 
are  “either  humble  and  servile  or  arrogant  and  dominating... inca¬ 
pable  of  making  moderate  use  of  freedom.”  Gustave  le  Bon,  who 
wrote  about  group  psychology  in  the  early  20th  century,  said  we 
must  either  figure  out  the  psychology  of  crowds  or  “resign  ourselves 
to  being  devoured  by  them.” 

No  security  phenomenon  is  as  volatile,  none  can  flip  from  man¬ 
aged  to  chaotic  as  quickly  as  a  crowd.  That’s  why  professionals  such 
as  Still  are  concerned  by  poor  design  in  modern  stadiums.  (Still  says 


he’s  also  concerned  about  a  marketing  trend  where  companies  har¬ 
ness  crowds  to  generate  buzz,  a  phenomenon  called  “crowd  crazing.” 
The  tightly  hyped  launch  of  a  video  game  system,  for  example,  has 
spurred  violence,  as  have  discount  bridal  gown  shopping  events, 
the  grand  opening  of  Ikea  furniture  stores  and  the  lead-up  to  a 
sporting  event  between  rivals.) 

For  a  long  time,  the  crowd  itself,  the  mob  mentality,  mass  panic, 
was  inevitably  blamed  for  disasters.  But  in  the  past  decade,  the 
science  of  crowd  dynamics  has  undergone  a  broad  philosophical 
shift,  led  by  experts  like  Still  who  suggest  that  the  mob  mentality 
is  a  myth.  Using  computer  modeling  that  combines  a  wide  breadth 
of  knowledge,  from  architecture  and  design  to  human  physiology 
and  psychology,  Still  has  upended  the  assumption  that  the  crowd 
causes  disaster,  and  underneath  that  assumption  he  has  found  that 
it’s  possible  to  manage  the  risk  inherent  in  crowd  dynamics  and 
reduce  the  possibility  of  disaster. 

“It’s  not  a  stampede,  it’s  a  design  and  management  problem,”  says 
Still.  “The  stampede  is  the  effect,  not  the  cause.  It’s  an  entirely  pre¬ 
dictable  crowd  dynamic.  We  can  tell  you  what  factors  give  rise  to 
that  behavior  and  how  to  engineer  a  system  to  limit  it. 

“And,  lo  and  behold,”  he  says,  explaining  the  paradox  he  sensed 
in  Pompeii’s  amphitheater  that  day,  “if  you  look  at  Pompeii  stadium, 
2,000  years  ago,  they  did  this  incredibly  well.”  When  he  compares 
the  Pompeii  stadium’s  design  to  what  computer  models  tell  him 
is  good  crowd  management  design,  “the  geometry,  the  ratios  and 
spaces  at  Pompeii,  they  are  all  optimal.” 

Turn  the  page  for  a  tour  of  Pompeii’s  Anfiteatro,  and  what  makes 
its  design,  from  a  crowd  dynamics  standpoint,  optimal. 


The  Pompeii  amphitheater’s 
location  and  design  control 
crowds.  The  stadium  is  set  in  a 
corner  of  the  city,  directing  all 
traffic  in  one  general  direction. 
None  of  the  exits  direct  traffic 
toward  the  narrow  corner  of  the 
city.  Six  stairways  all  move  foot 
traffic  to  the  west.  Two  gates 
out  of  the  city  accommodate 
intracity  travelers.  Bathrooms 
are  located  in  the  massive 
palaestra,  where  no  lines  would 
form.  Every  path  opens  to  a 
wider,  not  narrower  space  so 
when  the  roads  do  narrow  and 
pedestrians  have  to  make  cor¬ 
ner  turns  that  slow  them  down, 
the  crowd  is  dispersed  enough 
that  these  elements  won’t  cause 
congestion. 


Palaestra 


BUILD  A  BIG  BATHROOM. 

Pompeii  amphitheater’s  bathroom  is  the 
design  element  most  distinct  from  mod¬ 
ern  stadiums.  In  fact,  there  was  only  one 
public  toilet,  and  it  wasn’t  in  the  stadium, 
it  was  next  to  it.  The  toilets  were  part  of  a 
larger  structure,  called  a  palaestra.  Origi¬ 
nally  in  ancient  Greece,  a  palaestra  was  a 
gymnasium  complex,  but  here  its  function 
was  broader.  People  gathered  here  during 
events.  Likely  they  conducted  business  and 
got  food  and  drink  here  too.  The  palaestra 
was  effective  because  it  was  huge,  the  size  of 
four  and  a  half  football  fields;  its  footprint 
roughly  matches  the  stadium’s.  The  public 
pool  at  its  center,  with  a  3-foot  shallow  end 
and  8-foot  deep  end,  was  75  feet  wide  by 
115  feet  long.  “Not  only  were  there  plenty 
of  toilets,”  says  Still,  “but  the  route  to  and 
from  them  allowed  for  a  wide  dispersal 
of  people.”  In  modern  facilities,  there  are 
many  small  bathrooms  that  endure  rushes 
during  intermissions,  and  the  path  usually 
narrows  at  the  bathroom’s  entrance.  Still 
says  modern  stadiums  should  build  more 
and  bigger  bathrooms,  give  patrons  large 
areas  to  line  up  outside  of  them  and,  as 
much  as  possible,  separate  their  location 
from  the  stadium’s  main  traffic.  At  Pom¬ 
peii,  he  says,  “they  clearly  planned  for  the 
rush  that  would  occur  at  the  end  of  a  spec¬ 
tacle.  You  had  the  same  human  needs”— to 
visit  rest  rooms— “but  the  layout  and  design 
made  the  whole  dynamic  of  moving  to  and 
from  much  better.” 

SEPARATE  QUEUES  FROM 
PROMENADES.  Moving  the  bath¬ 
room  and  concessions  next  to  the  stadium 
instead  of  inside  carried  the  added  benefit 
of  keeping  those  who  were  standing  around 
separate  from  those  who  were  walking  to 
and  from  their  seats.  Good  crowd  man¬ 
agement  relies  on  keeping  people  moving 
at  their  comfortable  pace  of  about  1  to  1.3 
meters  per  second.  Putting  lines  for  the  loo 
and  for  hotdogs  in  the  same  places  where 
people  walk  creates  clustering  and  disrupts 
that  natural  pace.  This  not  only  creates  anx¬ 
iety  and  frustration,  but  it  also  has  a  domino 
effect,  creating  congestion  far  away  from  the 
source,  the  same  way  it  does  on  a  busy  road 


Causes  of 
Anxiety  in 
a  Crowd 

Poor  lighting  and 
signage.  Confusion  causes 
people  to  stop,  create 
clusters  and  get  frustrated. 

Poor  communication.  Con¬ 
fusing,  abrasive  or  illogical 
announcements,  or  a  lack  of 
announcements,  give  rise  to 
anxiety  and  frustration. 

Front-to-back  crowding. 

We  want  more  personal 
space  in  front  and  behind 
us  than  we  do  to  our  sides 
(see  “Respect  Personal 
Space,"  Page  28). 

Interruption  of  normal 

gait.  Walking  on  a  crooked 
path  doesn’t  bother  people 
if  they  keep  their  pace,  but 
interrupting  pace  creates 
anxiety. 


Unexpected  events. 

Examples:  a  no-show  musi¬ 
cal  act,  any  sort  of  sporting 
upset  (including  a  win)  or 
sudden  severe  weather. 

Poor  music  choice  in 
crowded  spaces.  Calm 
music  with  a  marching 
rhythm  works  well. 
Aggressive  music  breeds 
aggressive  behavior. 
Pre-event  media 
coverage.  For  example,  a 
story  on  poor  officiating 
prior  to  a  sports  event  will 
affect  how  the  crowd  reacts 
to  close  calls.  -S.B. 


when  cars  accelerate  and  slow  down.  If  modern  sta¬ 
diums  aren’t  going  to  separate  the  bathrooms  from 
the  venue  entirely— and  they’re  not— Still  says  they 
need  to  create  wider  spaces  around  the  perimeter 
that  can  be  divided  into  a  walking  concourse  and 
concourse  for  bathroom  and  concessions  outside  of 
that  walking  lane  with  broad  entry  and  exits  spaces 
between  the  two. 

OPEN  OPEN  OPEN!  Here’s  a  challenge: 
Look  for  areas  of  Pompeii’s  stadium  where  bottle¬ 
necks  might  occur,  where  the  crowd  could  overwhelm 
a  space.  Still  says  you  won’t  find  them.  Seats  are  at 
the  optimum  viewing  angle,  and  seating  “packing 
densities  are  to  comfort,  not  cost.”  Again,  Romans 
weren’t  worried  about  ROI,  but  Still  maintains  that 
compromise  is  needed  in  modern  facilities  to  reduce 
the  risk  of  crowd  disasters.  At  Pompeii,  spectators 
would  have  at  least  twice  the  personal  space  in  their 
seats  as  a  modern  fan.  Stairways  to  the  concourse 
present  themselves  at  angles  that  keep  people  mov¬ 
ing,  and  they’re  as  wide  as  the  concourses  they  link 
to.  On  the  side  of  the  stadium  where  the  city  wall 
comes  to  a  corner,  there  are  no  stairs,  which  would 
have  forced  people  into  tight  spaces.  Exits  from  the 
stadium  to  the  palaestra,  called  vomitories,  span  the 
entire  western  side  of  the  space,  and  that  space  itself 
isn’t  blocked  off  at  its  north  and  south  extremities. 
Instead,  it  opens  to  wide  roads,  allowing  for  people 
to  spill  out  into  the  city  and  toward  gates  that  leave 
the  town.  The  combined  effect  of  all  these  design 
elements,  Still  says,  is  palpable.  “Physically  it’s  the 
same  size  as  a  modern  facility,  but  the  perception 
of  space  is  significantly  different.  In  a  place  like 
Wembley  [Stadium  in  London,  one  Still  has  studied], 
you  feel  somewhat  oppressed,  closed  in.”  In  Pompeii, 
it’s  so  open  you  feel  almost  insignificant  but  also  part 
of  the  spectacle.  To  do  this  today,  Still  says,  requires 
forethought  all  the  way  back  to  site  choice.  Often, 
he  says,  architects  and  planners  put  aesthetics  (like 
a  skyline  or  waterfront  view)  before  safety  as  they 
try  to  shoehorn  large  venues  into  spaces  that  won’t 
allow  for  the  kind  of  openness  crowds  need. 

BUILD  A  BIG  ROAD.  Still  suggests  that 
designs  for  roads  and  walkways  leading  to  a  sta¬ 
dium  consider  the  facility’s  capacity.  Ancient  stadi¬ 
ums,  notably  Pompeii’s  and  an  earlier  great  theater, 
Ephesus,  met  this  criterion.  It  might  seem  an  overly 
generous  sidewalk  until  you  realize  that  the  capacity 
at  Pompeii’s  stadium  roughly  equaled  the  30,000 
population.  Still  says:  “I  imagine  an  entire  city 


INFOGRAPHIC  BY  STEVE  TRAYNOR;  ARTWORK  BY  CORBIS 


May  2007  www.csoonline.com  27 


Crowd  Management 


descending  on  the  site,”  then  a  generously  broad 
thoroughfare  starts  to  make  sense.  Still  says  newer 
facilities  do  this  better  than  older  ones,  but  urban 
facilities  still  struggle  because  of  space  limitations. 

LIMIT  CORNERS.  Modern  stadiums 
often  maintain  the  oval  seating  but  then  put  blocky 
concourses  around  it. 

They  also  use  switch- 
back  walkways  and 
stairs.  All  of  that  cre¬ 
ates  corners.  Corners 
force  people  to  slow 
down  and  encourage 
congestion.  Pompeii’s 
concourses  were  ellip¬ 
tical;  few  corners  exist 
to  slow  people  down. 

Still  says  this  also  evened  out  flow  to  the  vomitories  as  people 
could,  like  liquid,  choose  the  path  of  least  resistance  easily  with¬ 
out  interrupting  their  pace.  Ironically,  says  Still,  it  could  have  been 
the  limitations  of  their  materials  that  caused  Romans  to  adhere  to 
this  principle.  They  simply  couldn’t  build  stone  staircases  into  tight 
switchback  configurations  as  we  do  with  forged  steel  today.  Still 
says  architects  should  spend  more  time  studying  crowd  dynamics 
to  inform  their  design  choices. 

LIMIT  OPTIONS.  In  crowd  management,  the  maxim 
called  Braess’  paradox  states  that  more  options  equals  decreased 
performance.  That  is,  if  you  give  people  many  routes  to  choose  from, 
crowd  traffic  will  slow  down  because  of  indecisiveness  and  selfish 
behavior  when  choosing  one  of  the  paths.  Pompeii  provides  a  stark 
example  of  avoiding  Braess’  paradox.  The  entire  stadium  is  serviced 
by  just  six  stairways,  all  of  which  point  in  the  same  general  direc¬ 
tion-northwest.  By  the  time  a  Roman  would  have  to  make  a  deci¬ 
sion  which  way  to  go,  the  space  has  already  opened  wide. 

ANXIETY  CONTROL.  A  commitment  to  openness  at 
ancient  stadiums  reflects  an  understanding  of  hard  sciences  like 
engineering  and  geometry,  but  Still  believes  it  also  reflects  the  ancient 
Romans’  understanding  of  human  behavior.  Openness  reduces  anxi¬ 
ety,  and  controlling  anxiety  is  a  cornerstone  of  crowd  management. 
This  combination  of  hard  and  soft  sciences  is  what  Still  believes  is 
lacking  with  many  projects  today.  Still  says  facility  managers  “can 
shift  the  behavior  of  a  crowd.  Good  signage  and  lighting,  for  example, 
will  reduce  anxiety.  People  need  information  before  they  approach 
the  crowd.  If  one  person  has  to  ask  where  their  seat  is,  then  140  peo¬ 
ple  have  to  ask.  Now  there’s  a  backup  and  people  are  frustrated.  Now 
those  frustrated  people  sense  disorganization  and  start  acting  out. 
Others  take  that  cue  and  the  anxiety  feeds  on  itself.  People  say  it’s  the 
crowd’s  fault.  No.  As  the  facility  managers,  you  shape  the  behavior. 
Your  failure  to  provide  certain  information  or  anticipate  what  cre¬ 


ates  problems,  or  to  react  properly  when  something 
does  happen  is  what  turns  the  crowd  ugly.”  In  Pom¬ 
peii,  Still  believes,  Romans  calmed  crowds  through 
design,  even  if  they  didn’t  think  of  it  that  way.  After 
all,  a  bad  call  by  an  official  can  spark  a  melee  today.  In 
ancient  Pompeii,  gladiatorial  spectacles  fed  violence 
and  death  to  a  crowd  full  of  men  with  swords. 

NUCERIA  VS.  POMPEII. 

During  games  between  bitter  rivals 
Pompeii  and  neighboring  Nuceria  in 
A.D.  59,  the  historian  Tacitus  writes  of 
an  altercation  that  “arose  out  of  a  trifling 
incident  at  a  gladiatorial  show.  During 
an  exchange  of  taunts. ..abuse  led  to 
stone-throwing,  and  then  swords  were 
drawn.”  Because  of  the  incident,  games 
were  banned  at  the  Pompeii  stadium  for 
10  years  (though  this  penalty  doesn’t  seem  to  have  been  enforced). 
This  might  seem  to  disprove  Still’s  notion  of  best  practices  in 
ancient  crowd  control.  To  the  contrary,  Still  says.  “Think  of  the  fact 
they  could  have  a  sword  fight  in  the  stands,  what  that  meant  about 
how  they  had  very  free  movement  in  the  stands.  And  because  of  the 
space,  people  could  cluster  away  from  the  small  pockets  of  danger, 
preventing  small  incidents  from  becoming  bigger  ones.”  The  vio¬ 
lence,  in  other  words,  was  not  a  stampede  or  a  crush.  Today,  nearly 
all  crowd  incidents  affect  the  innocent,  who  simply  can’t  escape. 

RESPECT  PERSONAL  SPACE.  There  are  bench¬ 
marks  that  Still  uses  and  the  United  Kingdom  has  adopted  for 
crowd  densities  to  prevent  people  from  getting  anxious.  None 
would  have  been  crossed  at  a  typical  event  at  Pompeii  stadium: 

■  2  to  3  people  per  square  meter  when  moving 

■  5  people  per  square  meter  when  standing  or  sitting 

■  6  people  per  square  meter  for  up  to  six  minutes  in  certain  situ¬ 
ations,  such  as  an  entrance  queue,  if  the  space  is  monitored. 

24  AUGUST,  A.D.  79*  Pliny  the  Younger  wrote  two  letters 
to  Tacitus  about  the  day  Vesuvius  erupted  and  how  Pompeii  was 
erased  from  the  earth.  Pliny  the  Younger  was  in  Misenum,  across 
the  Bay  of  Naples  from  Pompeii,  reading  Livy.  When  the  cloud  of 
burning  ash  finally  rained  down  on  the  town,  he  and  his  mother 
fled.  “A  dazed  crowd  follows  us,  preferring  our  plan  to  their  own 
(this  is  what  passes  for  wisdom  in  a  panic),”  he  wrote.  “Their  num¬ 
bers  are  so  large  that  they  slow  our  departure,  and  then  sweep  us 
along,”  a  description  that  sounds  remarkably  like  a  crowd  crush, 
one  that  Pliny  and  his  mother  survived. 

But  by  then,  Pompeii’s  Anfiteatro  was  gone.  Its  elegant  geometry, 
its  ideal  use  of  space  and  its  beautiful  openness  were  smothered, 
and  preserved,  under  10  feet  of  hot  ash  and  pumice.  ■ 


Send  feedback  to  Senior  Editor  Scott  Berinato  at  sberinato@cxo.com. 


It  will  take  you  about 
20  to  30  minutes  to 
read  this  story.  Pom¬ 
peii’s  stadium  was  so 
well  designed  that  it 
could  empty  itself  of 
30,000  spectators  in 
less  than  10  minutes. 


28  www.csoonline.com  May  2007 


PHOTO  BY  CORBIS 


Topics  to  include: 

•  Structuring  a  Business  Continuity 
Plan:  Treatment  to  Prevention 

•  Legal  Requirements 

•  The  Looming  Threats: 

Terrorism  to  Pandemic 

•  Selling  the  Plan 

•  Business  Resiliency  in  the 
Supply  Chain 

•  Personnel  Training  &  Exercises 

•  Outsourcing/Insourcing 

•  Succession  Planning 

•  Crisis  Case  Studies 

•  Original  Research:  Best  Practices  in 
Business  Continuity 

•  Technology  Breakouts 
Presented  by: 


Business 

Technology 

Leadership 


cso 


The  Three  Key  Pillars  of  Resiliency: 

CIO  &  CSO  Business  Continuity  Forum  2007—  Building 
the  Resilient  Enterprise  will  provide  attendees  with  the  key 
strategic  and  tactical  skills  necessary  to  address  the  issues 
of  continuity,  recovery  and  resiliency  in  their  enterprises. 
Attendees  will  walk  away  with  the  knowledge  of  how  to 
enable  enterprise  resiliency  within  their  organizations. 

If  you  are  a  CIO,  CSO,  CTO  or  other  business  technology 
executive  you  won’t  want  to  miss  this  program!  Visit 
www.cio.com/bc_2007  or  call  800.366.0246  for  additional 
program  information. 

Underwriters: 


ProCurve  Networking 

HP  Innovation 


SUNGARD  tori',, 

Availability  Services  Connected: 


The  Resource  for 
Security  Executives 


Platinum  Sponsors: 

AVAyA 

INTELLIGENT  COMMUNICATIONS 

Gold  Sponsor: 

> 

accenture 

High  performance.  Delivered. 


EMC2 

where  information  lives* 


UNISYS 

imagine  it.  done. 


Andrew  Jaquith  is  a 

Yankee  Group  analyst  and 
founder  of  discussion  site 
Securitymetrics.org.  He  is  also  no 
stranger  to  the  pages  ofC SO;  see 
“A  Few  Good  Metrics ”  at 
www.csoonline.com/read/ 070105. 
The  following  excerpt  is  taken 
from  his  current  hook, 
Security  Metrics:  Replacing 
Fear,  Uncertainty,  and  Doubt. 


A  few  years  ago  my  former 
employer  was  called  in  by  the 
CTO  of  a  large,  well-known 
maker  of  high-end  consumer 
electronics.  This  company, 
which  prides  itself  on  its  progressive 
approach  to  IT  management,  operates 
a  large,  reasonably  up-to-date  network 
and  a  full  suite  of  enterprise  applications. 
The  CTO,  Barry  Eiger  (a  pseudonym),  an 
extremely  smart  man,  is  fully  conversant 
in  the  prevailing  technology  trends  of  the 
day.  In  manner  and  in  practice,  he  tends 
to  be  a  conservative  technology  deployer. 
Unimpressed  with  fads  and  trends,  he  pre¬ 


fers  to  hydrofoil  above  the  choppy  techno¬ 
logical  seas  with  a  slightly  bemused  sense 
of  detachment.  Facts,  rather  than  the  ebbs 
and  flows  of  technology,  weigh  heavily  in 
his  decision-making.  In  our  initial  conver¬ 
sations,  he  displayed  an  acute  awareness  of 
industry  IT  spending  benchmarks.  We  dis¬ 
covered  later  that  he  had  spent  significant 
sums  of  money  over  the  years  on  advisory 
services  from  Gartner  Group,  Meta  Group, 
and  others. 

If  he  is  so  well  informed,  why  did  he  call 
us  in,  I  wondered?  Barry’s  problem  was 
simple.  His  firm  had  historically  been  an 
engineering-driven  company  with  limited 
need  for  Internet  applications.  More  recently, 
his  senior  management  team  had  asked  him 
to  deploy  a  series  of  transactional  financial 
systems  that  would  offer  customers  order 
management,  loan  financing,  and  customer 
support  services.  These  public-facing  sys¬ 
tems,  in  turn,  connected  back  to  several  inter¬ 
nal  manufacturing  applications  as  well  as  to 
the  usual  suspects— PeopleSoft,  SAP,  Siebel, 
and  Oracle.  A  prudent  man,  Barry  wanted 
to  make  sure  his  perimeter  and  application 
defenses  were  sufficient  before  beginning 
significant  deployments.  He  wanted  to  know 
how  difficult  it  might  be  for  an  outsider  to 
penetrate  his  security  perimeter  and  access 
sensitive  customer  data,  product  develop¬ 
ment  plans,  or  financial  systems. 

Barry  asserted  that  his  team  had  done 
a  good  job  with  security  in  the  past.  “What 
if  you  can’t  get  in?”  he  asked  rhetorically. 


30  www.csoonline.com  May  2007 


ILLUSTRATION  BY  MICHELLE  THOMPSON 


Despite  his  confidence,  his  dull  ache  per¬ 
sisted.  His  nagging  feeling  compelled  him 
to  find  out  how  good  his  defenses  really 
were.  He  also  wanted  to  get  some  bench¬ 
marks  to  see  how  well  his  company  com¬ 
pared  to  other  companies  like  his. 

Barry  wanted  a  McKinsey-style  “diag¬ 
nostic.”  This  kind  of  diagnostic  first  states 
an  overall  hypothesis  related  to  the  business 
problem  at  hand  and  then  marshals  evidence 
(metrics)  that  supports  or  undermines  the 
theory.  The  essence  of  the  McKinsey  diag¬ 
nostic  method  is  quite  simple: 

■  The  analysis  team  identifies  an  overall 
hypothesis  to  be  supported.  Example: 
“The  firm  is  secure  from  wireless 
threats  by  outsiders.” 

■  The  team  brainstorms  additional  sub¬ 
hypotheses  that  must  hold  for  the  over¬ 
all  hypothesis  to  be  true.  For  example, 
to  support  the  wireless  hypothesis  we 
just  identified,  we  might  pose  these 
subhypotheses:  “Open  wireless  access 
points  are  not  accessible  from  outside 
the  building”  and  “Wireless  access 
points  on  the  corporate  LAN  require 
session  encryption  and  reliable  user 
authentication.” 

■  The  team  examines  each  subhypothesis 
to  determine  if  it  can  be  supported  or 
disproved  by  measuring  something.  If 
it  cannot,  the  hypothesis  is  either  dis¬ 
carded  or  decomposed  into  lower-level 
hypotheses. 

■  For  each  lowest-level  hypothesis,  the 
team  identifies  specific  diagnostic 
questions.  The  answers  to  the  ques¬ 
tions  provide  evidence  for  or  against 
the  hypothesis. 

Diagnostic  questions  generally  take  the 
form  of  “The  number  of  X  is  greater  (or  less) 
than  Y”  or  “The  percentage  of  X  is  greater 
(or  less)  than  Y.”  For  example,  “There  are 
no  open  wireless  access  points  that  can  be 
accessed  from  the  buildings  parking  lot  or 
surrounding  areas”  or  “100%  of  the  wireless 
access  points  on  the  corporate  LAN  require 
128-bit  WPA  security.”  The  diagnostic  ques¬ 
tions  dictate  our  metrics.  The  primary 
benefit  of  the  diagnostic  method  is  that 
hypotheses  are  proven  or  disproven  based 


Sample  Questions  for  Finding 
Information  Security  Weaknesses 


SUBHYPOTHESES  I  DIAGNOSTIC  QUESTIONS 


The  network  perimeter  is  porous,  permitting  ■  How  many  sites  are  connected  directly  to  the 

easy  access  to  any  outsider.  core  network  without  intermediate  firewalls? 

■  How  many  of  these  sites  have  deployed 
unsecured  wireless  networks? 


An  outsider  can  readily  obtain  access  to  internal 
systems  because  password  policies  are  weak. 

■  Starting  with  zero  knowledge,  how  many 
minutes  are  required  to  gain  full  access 
to  network  domain  controllers? 

■  What  percentage  of  user  accounts  could 
be  compromised  in  15  minutes  or  less? 

Once  on  the  network,  attackers  can  easily 
obtain  administrator  credentials. 

■  How  many  administrative-level 
passwords  could  be  compromised 
in  the  same  [15  minute]  time  frame? 

An  intruder  finding  a  hole  somewhere  in 
the  network  could  easily  jump  straight 
to  the  core  transactional  systems. 

■  How  many  internal  "zones"  exist  to  com¬ 
partmentalize  users,  workgroup  servers, 
transactional  systems,  partner  systems, 
retail  stores,  and  Internet-facing  servers? 

Workstations  are  at  risk  for 
virus  or  worm  attacks. 

■  How  many  missing  operating  system 
patches  are  on  each  system? 

Viruses  and  worms  can  spread  quickly 
to  large  numbers  of  computers. 

■  How  many  network  ports  are  open 
on  each  workstation  computer? 

■  How  many  of  these  are  “risky”  ports? 

The  firm’s  deployments  of  applications  are 
much  riskier  than  those  made  by  leaders  in 
the  field  (for  example,  investment  banking). 

■  Where  does  each  application  rank 
relative  to  other  enterprise  applications 
[we  have]  examined  for  other  clients? 

Application  security  is  weak  and  relies  too 
heavily  on  the  “out  of  the  box”  defaults. 

■  How  many  security  defects  exist 
in  each  business  application? 

■  What  is  the  relative  “risk  score"  of  each 
application  compared  to  the  others? 

on  empirical  evidence  rather  than  intuition. 
Because  each  hypothesis  supports  the  other, 
the  cumulative  weight  of  cold,  hard  facts 
builds  a  supporting  case  that  cannot  be  dis¬ 
puted.  A  secondary  benefit  of  the  diagnostic 
method  is  that  it  forces  the  analysis  team  to 
focus  only  on  measurements  that  directly 
support  or  disprove  the  overall  hypothesis. 
Extraneous  “fishing  expeditions”  about 
theoretical  issues  that  cannot  be  measured 
automatically  filter  themselves  out. 

So  far,  the  sample  hypotheses  and  diag¬ 
nostic  questions  I  have  given  are  rather  sim¬ 
plistic.  Why  don’t  we  return  to  our  friend 
Barry’s  company  for  a  real-world  example? 

Recall  that  Barry’s  original  question  was 
“Is  my  company’s  customer  data  secure  from 
outside  attack?”  Our  overall  hypothesis  held 
that,  indeed,  the  company  was  highly  vul¬ 
nerable  to  attack  from  outsiders.  To  show 
that  this  statement  was  true  (or  untrue),  we 
constructed  subhypotheses  that  could  be 
supported  or  disproven  by  asking  specific 


questions  whose  answers  could  be  mea¬ 
sured  precisely  and  empirically.  The  table 
above  shows  a  subset  of  the  diagnostics 
we  employed  to  test  the  hypothesis.  Note 
that  these  diagnostics  do  not  exhaust  the 
potential  problem  space.  Time  and  budget 
impose  natural  limits  on  the  diagnostics 
that  can  be  employed. 

To  answer  the  diagnostic  questions  we 
posed,  we  devised  a  four-month  program 
for  Barry’s  company.  We  assessed  their  net¬ 
work  perimeter  defenses,  internal  networks, 
top  ten  most  significant  application  sys¬ 
tems,  and  related  infrastructure.  When  we 
finished  the  engagement  and  prepared  our 
final  presentation  for  Barry,  his  team,  and 
the  company’s  management,  the  metrics 
we  calculated  played  a  key  role  in  proving 
our  hypothesis.  The  evidence  was  so  com¬ 
pelling,  in  fact,  that  the  initial  engagement 
was  extended  into  a  much  longer  corrective 
program  with  a  contract  value  of  several 
million  dollars.  ■ 


May  2007  www.csoonline.com  31 


*  v 


>>  SCIF  construction  can 

include  features  such  •  7 

as  the  details  shown  ' 

in  these  four  images.  ^  ^ 
Wall  construction 
defenses  include 

heavy-gauge  framing  ’  . 

studs,  insulation,  a 

fortified  drywall  layer 

covered  by  foil  before 

a  second  drywall  layer 

gets  applied,  foil  sheets 

that  go  from  walls  to 

the  floor  and  a  conduit 

to  protect  wiring. 


re  LOCATIONS 


BY  KATHERINE  WALSH 


SECRETS  AREN’T  ADVERTISED;  THEY  ARE  PROTECTED. 

The  government  keeps  some  of  the  biggest  secrets  of  all— the  expo¬ 
sure  of  which  might  pose  a  threat  to  national  security— in  places 
where  the  name  hides  nothing:  a  Sensitive  Compartmented  Infor¬ 
mation  Facility  (SCIF).  But  the  buildings  carrying  the  SCIF  label 
are  made  to  hide  everything. 

A  government  rule  called  “The  Director  of  Central  Intelligence 
Directive  6/9”  details  the  physical  require¬ 
ments  for  SCIF  construction:  Walls,  floor 
and  ceiling  must  be  permanently  con¬ 
structed  and  attached  to  each  other.  They 
should  also  be  reinforced  on  the  inside  with 
steel  plates,  and  slab-to-slab  with  9-gauge 

32  www.csoonline.com  May  2007 


expanded  metal.  All  doors,  windows,  walls,  floors,  vents  and  ducts 
must  be  protected  by  sound  masking  devices,  such  as  noise  and 
vibration  generators,  bars,  grills  or  sound  baffles,  in  order  to  meet 
sound  attenuation  criteria  and  prevent  disclosure  of  conversations. 
Entrance  doors  should  be  limited  to  one,  which  must  be  equipped 
with  locks  and  alarms,  and  made  of  solid  wood  (no  less  than  1% 
inches  thick)  or  clad  with  16-gauge  metal  (no  less  than  1%  inches 

thick).  And,  most  important  of  all:  The 
building  must  be  nondescript  enough  so 
that  you  can’t  tell  what  it  is. 

“The  concept  behind  SCIFs  was  to  cre¬ 
ate  a  secure  area  that  had  appropriate  pro¬ 
tections  in  place  to  ensure  to  the  greatest 

PHOTOS  COURTESY  OF  FSO  TO  GO 


IN  THIS  STORY  A  discussion  of  federal 
requirements  for  secure  facilities  ■ 

A  framework  for  applying  federal  security 
standards  to  private-sector  facilities 


Since  the  early  days  of  the  Cold  War,  the  federal 
government  has  required  secure  facilities  to  keep 
national  secrets  safe.  Private-sector  CSOs  looking 
to  build  a  secure  building  can  find  lessons  from  the 
feds  hiding  i nplai n  sight. _ 


extent  possible  that  the  highly  sensitive  information  inside  would 
not  be  compromised,”  says  Lynn  Mattice,  VP  and  CSO  at  Boston 
Scientific,  a  manufacturer  of  medical  devices.  Mattice  is  familiar 
with  the  requirements  around  SCIF  construction:  As  director  of 
corporate  security  at  Northrop  during  the  major  defense  buildup  of 
the  Reagan  administration,  he  oversaw  the  complet  ion  of  multiple 
rooms  built  to  SCIF  standards.  At  Whirlpool,  where  he  was  direc¬ 
tor  of  corporate  security  for  a  number  of  years,  and  now  at  Boston 
Scientific,  Mattice  says  he  has  built  soundproof  rooms  and  does 
sweeps  for  electronic  countermeasures  from  time  to  time. 

While  it’s  unlikely  that  the  cost-benefit  calculation  for  a  private- 
sector  organization  would  lead  many  businesses  to  build  a  facility 
meeting  all  of  the  requirements  of  a  government-mandated  SCIF— 
such  features  can  add  hundreds  of  dollars  per  square  foot  of  office 
space— there  are  lessons  to  learn  about  secure  facilities  from  the 
people  who  construct  them  according  to  the  federal  government’s 
strict  specifications.  Most  large  organizations  would  benefit  from 
employing  some  of  the  requirements,  says  Hal  Walter,  a  classifica¬ 
tion  compensation  analyst  at  the  University  of  North  Carolina  at 
Charlotte.  “Some  global  organizations  today  are  just  as  large  as  the 
governments  that  these  facilities  were  designed  for,”  Walter  says. 

The  key  is  to  know  what  information  is  sensitive  enough  to  require 
many  of  the  same  methods  the  government  uses  to  guard  its  secrets. 

ASSESS  WHAT  YOU  NEED  TO  PROTECT 

For  the  past  five-plus  decades— think  history  of  the  Cold  War— the 
government  has  maintained  a  hierarchy  of  classified  information, 
determined  by  the  level  of  threat  its  exposure  would  bring  to  the 
United  States.  Top  Secret  owns  the  list:  Its  public  knowledge  would 
pose  grave  danger  to  national  security.  Weapons  design  specs  and 
sensitive  intelligence  fall  within  this  category. 

Secret  (the  level  that  most  classified  information  in  this  country 
is  assigned)  means  if  this  information  was  leaked,  it  would  cause 
serious  damage.  Confidential  information  would  harm  national 
security  if  it  were  made  public;  while  it’s  the  lowest  level,  it  is  still 
information  that  the  government  does  not  want  made  available. 

Sensitive  Compartmented  Information  (SCI)  refers  to  the  secu¬ 
rity  wrapped  around  access  to  this  classified  information — not  the 
information  itself.  SCI  is  often  loosely  applied  to  describe  all  sensi¬ 


tive  materials,  and  that’s  not  correct,  says  Ben  Shaw,  facilities  secu¬ 
rity  officer  (FSO)  at  advisory  Morgan  Franklin.  “People  use  it  as  a 
blanket  term,”  he  says,  when  in  fact,  it’s  more  like  an  extra  layer 
of  security,  usually  applied  to  special  access  programs  or  special 
government  projects. 

For  example,  the  Department  of  Defense  may  want  to  limit 
access  to  sensitive  information  about  a  particular  project  so  only 
people  working  on  the  project  have  access.  Thus  even  an  individual 
possessing  a  Top  Secret  security  clearance  would  need  specially 
granted  access  to  that  information  (which  would  be  maintained 
within  a  SCIF).  There  is  no  universal  SCI  clearance  (as  there  is 
for  Top  Secret  clearances)  because  an  SCI  access  authorization 
is  related  to  specific  programs  or  information.  Mattice  says  that 
before  you  even  go  through  the  clearance  process,  a  contract  spon¬ 
sor  from  the  government  will  certify  that  you  “need  to  know”  SCI 
level  information.  “Most  SCI  access  authorizations  require  one  of 
the  most  in-depth  background  investigations  the  government  runs,” 
says  Mattice.  Such  a  clearance  may  also  require  a  polygraph  exam 
and  periodic  reexaminations,  says  Mattice. 

For  the  purposes  of  this  article,  substitute  other  business-critical 
words  for  “national  security”  when  thinking  about  secure  facilities. 
Walter  thinks  that  companies  would  be  most  driven  to  protect  mat¬ 
ters  that  could  be  embarrassing  or  costly  or  would  give  advantages 
to  a  competitor.  Mergers  and  acquisitions  are  good  examples.  “If  my 
company  was  up  for  a  merger,  or  I  was  going  to  discuss  a  takeover, 
controlling  leaks  would  be  critical.  A  company  needs  an  area  where 
people  in  upper  management  can  securely  discuss  things  or  look 
at  documents,”  says  Walter.  Data  such  as  customer  account  infor¬ 
mation,  health  records  and  Social  Security  numbers  would  also  be 
considered  highly  sensitive.  And  internal  company  information, 
such  as  business  plans,  should  be  protected  as  such. 

Labeling  sensitive  information  at  your  company  will  stem  from 
a  combination  of  your  corporate  goals  and  the  need  to  comply  with 
government  regulations  such  as  the  Health  Insurance  Portability 
and  Accountability  Act  or  the  Trade  Secrets  Act. 

This  discussion  of  sensitive  information  ties  into  a  risk  analysis 
of  both  the  data  sets  you  want  to  keep  secure  and  the  intellectual 
property  you  have  in  your  company’s  portfolio. 

Organizations  with  government  contracts  don’t  have  much 


May  2007  www.csoonline.com  33 


Secure  Facilities 


choice  when  it  comes  to  the  information  they  protect:  SCIF  design 
specifications  are  spelled  out  for  them.  Security  executives  and  their 
business  colleagues  have  to  make  these  assessments  themselves. 

Michael  Creaney,  a  principal  and  director  of  development  at 
the  Creaney  &  Smith  Group,  a  commercial  real  estate  developer, 
says  that  just  as  the  level  of  cleanliness  in  a  clean  room,  which  is 
used  by  drug  manufacturers,  depends  on  what  is  occurring  inside 
of  it  (counting,  mixing  or  testing  drugs),  the  level  of  SCIF  security 
depends  on  the  information  within  it. 

Understanding  what  needs  to  be  protected  will  start  with  pri¬ 
oritizing  sensitive  data.  “You  need  to  look  at  the  information  you 
are  trying  to  protect,  decide  what  the  consequence 
would  be  if  the  information  was  leaked,  and  what  you 
are  willing  to  do  to  keep  that  from  happening,”  says 
Walter.  Some  organizations  find  it  useful  to  bring  in 
outside  consultants  to  help  this  evaluation  process. 

PROTECTION  AT  A  PRICE 

SCIFs  are  expensive,  and  for  that  reason,  experts  say 
companies  with  government  contracts  should  follow 
the  letter  of  their  government  specs— and  no  more. 

So  corporations  employing  SCIF-inspired  standards 
for  facility  management,  for  heating,  ventilation  and 
cooling  systems,  for  access  control  or  electrical  wir¬ 
ing,  should  pick  and  choose  the  requirements  from 
the  government  directives  that  are  best  suited  to 
meet  their  needs. 

Even  the  lowest-level  SCIF  requirements  come 
at  a  cost.  “At  the  lowest  level,  the  [facilities]  are 
secured  physically  and  electronically  for  pre¬ 
venting  the  loss  of  info,  data  and  material,”  says 
Creaney,  who  has  been  building  and  retrofitting  office  space  for 
SCIFs  since  1984.  This  lowest  level— government  SCIF  projects 
reach  five  or  six  different  levels,  Creaney  says— is  probably  what 
would  benefit  most  corporations,  experts  say.  At  that  level,  SCIFs 
may  cost  an  extra  $50  per  square  foot  (above  and  beyond  nor¬ 
mal  office  space  cost);  toward  the  higher  end,  as  much  as  $350, 
Creaney  says.  Mattice  cites  a  range  from  $150  to  as  much  as  $1,000 
per  square  foot.  Shaw  of  Morgan  Franklin  says  that  the  cost  of  a 
2,000-square-foot  SCIF  divided  into  multiple  offices  can  run  from 
$400,000  to  $1  million. 

Walter  says  that  it  is  essential  for  companies  working  on  build¬ 
ings  with  SCIF-level  features  to  work  with  a  contractor  who  can  see 
the  reasons  behind  extra  precautions:  “Otherwise  you  may  end  up 
with  a  nice-looking  facility  that  leaks  like  a  sieve  because  the  people 
building  it  did  not  understand  the  reasoning  behind  the  plans.” 

THINK  IN  LAYERS 

Secure  facilities  experts  like  Shaw,  Creaney  and  Tabetha  Chandler, 
president  of  consultancy  and  SCIF  builder  FSO  To  Go,  spend  a  lot 
of  time  studying  government  specifications  for  constructing  secure 
facilities.  The  reasons  for  this  range  from  the  different  rules  that 


authorities  have  set  out  for  what  makes  a  secure  building  (see  “By 
the  Book,”  this  page)  to  the  fact  that  they  say  more  government 
programs  require  secure  facilities  since  the  September  11  ter¬ 
ror  attacks.  They  deliver  a  clear  message  from  this  experience  as 
bureaucratic  interpreters:  Know  how  your  facility  and  staff  need 
to  work  so  you  can  secure  assets  needing  protection.  And  be  ready 
to  do  it  for  a  long  time.  “It’s  unfortunate  that  people  build  things 
and  then  become  complacent— when  it’s  time  to  enact  that  level 
of  security  they  don’t  posture  their  business  or  train  their  staff  to 
fully  understand  the  requirements,”  says  Chandler.  For  that  reason, 
these  experts  say  you  should  think  about  secure  facilities  as  not 

one  entity,  but  many.  Some 
examples: 

Physical  security.  Chan¬ 
dler  says  that  security  offi¬ 
cers  need  to  understand  their 
building’s  surroundings  and 
environment.  “Physical 
security  is  always  the  center 
point  of  securing  classified 
information,”  she  says.  “Look 
at  who  is  200  meters  around 
you;  don’t  just  center  on  your 
office  suite  or  headquarters.” 
At  the  minimum,  says  Walter, 
the  facility  should  have  one 
access  point  or  door  devoid 
of  any  gaps,  and  ductwork 
openings  that  are  secure. 

Information  security. 
Phones  should  have  filters 
that  prevent  wiretapping,  says  Walter,  and  encryption  is  vital.  “It 
tends  to  be  transparent  to  the  user,  and  it  can  be  easily  installed 
and  upgraded.”  Controlling  electronic  transmissions  can  be  accom¬ 
plished  with  shielding,  filters,  grounding  and  devices  limiting  radio 
frequency  (RF)  emissions.  Shielding  the  walls  of  the  SCIF  with  foil 
and  other  conductive  materials  will  help  ground  electronic  signals 
generated  within  the  SCIF,  says  Walter. 

Employee  security.  Last  but  most  important  is  the  human  fac¬ 
tor.  “The  best  security  systems,  even  ones  built  by  the  CIA,  can  be 
and  have  been  compromised  by  employees,”  Walter  notes.  A  select 
number  of  designated  employees  should  be  assigned  responsibility 
for  certain  facets  of  security,  such  as  inventory  of  data  and  docu¬ 
ments,  says  Walter.  If  employees  violate  policies  and  procedures, 
they  must  be  held  accountable,  he  adds.  It’s  also  important  to  have 
an  efficient  way  to  identify  employees  who  don’t  follow  security 
measures  and  resolve  the  situation  immediately,  he  says.  Even  if 
your  company  doesn’t  require  a  security  clearance,  you  should  know 
who  has  access  to  the  data.  And,  of  course,  vetting  everyone  on  the 
secure  site  through  background  checks  is  a  must. 

Reach  Associate  Staff  Writer  Katherine  Walsh  at  kwalsh@cxo.com. 


A  selection  of  manuals  and 
directives  used  by  different 
agencies  that  spell  out  the 
construction  requirements  for 
a  Sensitive  Com 
Information  Faci 


partmented 
ity  (SCIF): 


Quick  Reference  SCIF  Construction  Guide 

www.fas.org/irp/offdocs/dcidl-21-ref.htm 

National  Industrial  Security  Program  Operating 
Manual  (NISPOM)  www.fas.org/sgp/library/ 
nispom/nispom2006.pdf 

Director  of  Central  Intelligence  Directive  (DCID) 

www.fas.org/irp/offdocs/dcid6-9.htm 

Federation  of  American  Scientists,  list  of  all 
DCI  directives  www.fas.org/irp/offdocs/dcid.htm 


34  www.csoonline.com  May  2007 


Are  you  Secure? 

If  you're  not  feeling  good  about  your  company's 
level  of  endpoint  security,  you're  not  alone . 


'How  would  you  best  describe  your  organization's 
current  situation  regarding  endpoint  security?" 


Low  level 


High  level 


Average  level 


Source:  ClO/Computerworld/CSO  online  survey,  January  2007,  516  respondents  involved  in  security  strategy 


Join  the  experts  on  endpoint  security,  and  your  peers, 
for  the  first  ever  virtual  conference  on  the  topic.  This  free 
conference  will  focus  on  the  strategies  and  tactics  for 
protecting  data  at  the  edge  of  your  network. 


Endpoint 

Security 


A  VIRTUAL  CONFERENCE 

Presented  by  CIO,  CSO  and  Computerworld 


PRESENTED  BY: 


MTS]  =. ,  COMPUTERWORLD  CSO 

Leadership  The  Voice  of  IT  Management 


The  Resource 
for  Security 
Executives 


Live  Event:  May  23,  2007  I  On  Demand:  May  24  -  November  30,  2007 

Register  now  at  www.endpointsecurityconference.com 


Platinum  Sponsor:  Novell 

Gold  Sponsors:  Credant  Technologies, 
Symantec,  Webroot  Software,  Inc. 


Silver  Sponsors:  Forescout,  Kace,  Kingston  Technology,  Qualsys, 
RSA,  Thawte 

Bronze  Sponsors:  Core,  Kazeon,  PGP,  SonicWALL,  Tablus,  Workshare 


CSO  Undercover 


\  *  V 


*. .  *  ,  • 


A  Pothole  on 
Wall  Street 

A  financial  services  CISO  ponders  a  huge,  unchecked 
vulnerability  in  how  the  industry  processes  market 
news  By  Anonymous 

’M  A  CISO  who  has  worked  in  the  financial  services  industry  both  as 
a  regulator  and  for  a  large  services  company.  In  this  column  I’m  going 
to  let  you  in  on  one  of  the  biggest,  dirtiest  secrets  in  the  industry:  The 
companies  that  get  the  least  amount  of  scrutiny  from  financial  regula¬ 
tors  actually  present  some  of  the  greatest  risks  for  systemic  financial 
market  manipulation  and  fraud.  I’m  talking  about  financial  news  and  broker¬ 
age  service  companies. 

Various  companies  (if  you’re  on  Wall 
Street,  you  certainly  know  the  names) 
lease  computer  terminal  services  to 
financial  institutions  that  do  securi¬ 
ties  trading.  These  terminals  present 
the  latest  in  market  news  and  securi¬ 
ties  pricing.  The  securities  traders  at 
the  financial  institutions  make  deci¬ 
sions  based  on  the  information  they 
receive  from  these  computer  terminals 
and,  in  turn,  execute  their  trades  using 
these  same  terminals.  Because  of  the 
central  function  the  terminals  play  in 
presenting  market  data  and  financial 
news,  and  executing  trades,  they  are  at 
the  heart  of  the  international  financial 
system. 

Yet  few  people  realize  the  huge 
information  security  vulnerabilities 
that  exist  in  the  services  provided  on 
these  terminals.  These  vulnerabilities  have  the  potential  to  enable  individual 
instances  of  fraud  and  could  potentially  have  an  enormous  impact  on  financial 
markets.  Once  you  start  poking  at  how  the  system  works,  it’s  hard  not  to  think 
about  how  easy  it  would  be  for  a  ne’er-do-well  to  do  something  truly  awful. 

Let  Me  Count  the  Ways 

The  first  vulnerability  is  in  the  financial  feeds  themselves.  One  major  ser¬ 
vice  that  financial  news  companies  provide  is  financial  data  from  the  markets 
around  the  world.  These  feeds  let  dealers  know  the  up-to-the-second  “buy” 
and  “sell”  prices  of  publicly  traded  securities.  Based  on  this  knowledge,  the 
traders  then  make  decisions  that  can  result  in  hundreds  of  millions  of  dollars 
worth  of  trading. 


/ 


A 


j 


M 


V  V. 


V-  -.V 


••  •  ■>  ‘«r 


■  '  ' 


imm 


'■iK* 


■  v. 


To  get  a  feeling  for  just  how  important  this  is  for 
trading  floors  of  large  financial  firms,  consider  this: 
I  once  knew  a  network  systems  engineer  who  was 
awarded  an  annual  bonus  of  $1  million  for  reducing 
the  transaction  time  of  trades  in  his  firm  by  one  sec¬ 
ond.  Yes,  for  these  people  time  really  is  money— and 
big  money  at  that. 

Yet,  in  my  experience,  there  is  absolutely  no  authen¬ 
tication  between  the  financial  news  companies  that 
are  receiving  and  broadcasting  the  data  through  their 
terminals,  and  the  financial  markets  that  put  out  the 
data.  Data  feed  connections  with  financial  markets 
have  no  authentication,  are  not  encrypted  and  have  no 
checks  for  data  integrity.  This  lack  of  controls  is  pri¬ 
marily  a  function  of  the  time  pressures  of  the  market. 
No  one  wants  to  slow  down  market  pricing  informa¬ 
tion  with  security  controls.  With  such  a  blatant  lack  of 
security,  it  would  be  very  easy  to  mount  a  successful 
man-in-the-middle  attack. 

How  would  this  work? 
Let’s  say  our  hypothetical 

_  hacker  could  tap  in  to  the 

link  between  a  financial 
market  and  the  news  com¬ 
pany.  The  hacker  could 
manipulate  the  price  of  a 
given  stock  to  show  that 
its  share  price  had  plum¬ 
meted  20  percent.  When 
this  information  reached 
all  the  traders  using  those 
company’s  terminals,  some 
(albeit  not  all)  would  see 
the  drop  and  act  on  it  by, 
say,  selling  off  shares  of 
that  security.  Remember, 
this  may  be  done  either 
through  a  conscious  deci¬ 
sion  on  the  part  of  the 
traders,  or  simply  through 
a  preset  computer  algorithm  that  monitors  and  makes 
decisions  based  on  fluctuations  of  a  security’s  pricing. 
This  drop  in  price  could,  in  turn,  prompt  other  trad¬ 
ers  (even  those  using  other  companies’  terminals)  to 
quickly  dump  the  stock,  which  would  drive  down  the 
price  even  further. 

Meanwhile,  the  wily  hacker  could  take  advantage 
of  the  market’s  going  short  on  the  stock  to  quickly 
snap  up  shares.  When  the  market  finally  realized 
the  mistake,  there  would  be  a  correction  as  the  stock 
returned  to  its  fair  market  value  price.  Unfortunately, 
the  hacker  then  could  make  off-  with  a  nifty  fortune 


V-*' 


rn: 


tL 


36  www.csoonline.com  May  2007 


ILLUSTRATION  BY  MICHAEL  MORGENSTERN 


by  selling  the  stock  he  bought  at  his  “dis¬ 
counted”  price.  There  might  be  an  inves¬ 
tigation  by  the  Securities  and  Exchange 
Commission  into  the  sudden  drop  in  the 
stock,  but  with  no  authentication,  encryp¬ 
tion  or  data  integrity  checks  in  the  market 
feed,  there  wouldn’t  be  a  lot  of  evidence 
that  could  be  used  to  detect  the  hacker. 

To  be  fair,  this  is  really  not  the  financial 
news  companies’  fault.  If  they  want  the 
data  feeds  from  a  market,  then  they  have 
to  play  by  that  market’s  rules.  Because 
most  financial  markets  refuse  to  put 
in  authentication,  encryption  and  data 
integrity  checks  for  their  feeds,  the  finan¬ 
cial  news  companies  have  little  choice  but 
to  go  along.  What  other  option  do  they 
have?  Not  provide  the  market  information 
to  their  clients?  Not  likely. 

A  second  major  flaw  in  the  operations 
of  these  companies  is  the  manner  in  which 
financial  news  is  reported.  Like  the  market 
data  feeds,  market  news  can  quickly  affect 
the  pricing  of  securities.  Yet  it  is  painfully 
ridiculous  how  easily  market  news  can  be 
spoofed. 

For  example,  several  years  ago  a  fax 
was  sent  to  the  news  division  at  one  of  the 
terminal  services  companies  with  a  bogus 
press  release  from  a  publicly  traded  secu¬ 
rity,  Emulex.  The  press  release  gave  out 
bad  news  about  the  company.  The  news 
division  failed  to  authenticate  the  fax  and, 
given  the  tremendous  pressure  to  be  first 
to  press  with  breaking  market  news,  edi¬ 
tors  published  the  bogus  information  from 
the  fax  on  their  financial  terminals.  Other 
financial  news  companies,  not  wishing  to 
be  scooped,  also  began  posting  the  same 
bogus  information  on  their  terminals. 
Predictably,  the  price  of  Emulex  stock  fell. 
The  perpetrator  of  the  fraudulent  fax  had, 
meanwhile,  been  waiting  for  the  market 
to  go  short  on  Emulex,  and  he  quickly 
bought  up  the  stock  at  the  reduced  price. 

The  SEC  later  investigated  and  caught 
the  perpetrator  of  the  fraud,  but  the  target 
of  the  investigation  was  the  perpetrator  of 
the  fraud  and  not  the  lack  of  controls  at 
the  news  organization  that  enabled  the 
fraud  to  take  place.  Sadly,  such  a  scenario 
could  take  place  again  today— it  just  takes 


the  successful  spoofing  of  one  financial 
news  company  to  create  the  fraud. 

A  third  major  flaw  of  financial  news  and 
service  companies  is  with  the  terminals 
they  provide  to  their  clients.  At  a  company 
I’m  familiar  with,  the  client  logged  on  to 
the  terminal  using  a  fingerprint  scanner. 


Like  the  market 
data  feeds,  market 
news  can  quickly 
affect  the  pricing  of 
securities.  Yet  it  is 
painfully  ridiculous 
how  easily  market 
news  can  be 
spoofed. 

The  scanner  took  an  image  of  multiple 
points  along  the  ridge  lines  of  the  cus¬ 
tomers’  finger.  The  image  was  then  stored 
and  matched  against  subsequent  images 
taken  at  log-in.  An  80  percent  match  in 
the  position  of  the  computer  user’s  finger 
ridge  lines  would  produce  a  “match”  and 
thus  a  successful  authentication. 

The  only  problem  was  that  the  image 
of  the  fingerprint  was  stored  at  the  finger¬ 
print  scanner  at  the  terminal  and  not  at 
the  authentication  server  located  at  the 
terminal  provider’s  premises.  Thus,  a 
knowledgeable  hacker  could  spoof  a  suc¬ 
cessful  log-in  by  tampering  with  the  fin¬ 
gerprint  scanner  in  such  a  way  as  to  get 
it  to  transmit  the  local  fingerprint  match 
to  the  terminal  provider’s  authentication 
server.  To  be  sure,  it  would  have  to  be  a 
sophisticated  hacker  with  detailed  knowl¬ 
edge  of  how  the  scanner  worked.  But 
given  that  the  fingerprint  scanner  is  in 
wide  usage  in  the  industry,  it  would  not  be 
difficult  to  get  such  a  device,  monitor  the 
authentication  protocol  traffic  and  then 
use  a  replay  attack  in  order  to  complete  a 
successful  bogus  authentication. 

What  would  this  bogus  authentica¬ 


tion  gain  the  hackers?  Well,  they  could 
potentially  begin  transmitting  trades  on 
the  hijacked  terminal.  If  they  hijacked  the 
right  terminal  of  say,  the  head  of  market 
operations  at  one  of  the  primary  dealers  in 
the  financial  services  industry,  then  they 
could  conceivably  buy  or  sell  off  securi¬ 
ties  with  a  very  large  market  value.  Yes,  it 
would  be  a  difficult  fraud  to  initiate,  but 
given  the  potential  payoff  it  would  cer¬ 
tainly  be  worth  it  to  the  hacker. 

Why  the  Absence  of  Oversight? 

Given  all  this,  by  now  you’re  probably 
wondering  why  these  companies  aren’t 
more  closely  regulated.  After  all,  these 
vulnerabilities,  if  successfully  exploited, 
could  either  result  in  enormous  and  sys¬ 
temic  consequences  to  the  financial  mar¬ 
kets  or,  at  the  very  least,  enable  individual 
instances  of  fraud. 

It’s  not  that  the  financial  news  and 
trading  terminal  service  companies  are 
deliberately  overlooked  by  regulatory 
watchdogs;  it’s  just  that  they  fall  between 
the  cracks.  If  they’re  private  companies, 
they  don’t  have  any  oversight  from  Sar- 
banes-Oxley.  The  Federal  Reserve  and  the 
Office  of  the  Comptroller  of  the  Currency 
don’t  regulate  them  because  they  aren’t 
banks.  If  they  provide  only  the  front-end 
interface  (that  is,  the  terminal),  they  can 
foist  any  potential  SEC  inquiries  about 
trading  operations  onto  the  brokerage 
firms  to  which  they’ve  outsourced  the 
back-office  operations.  They  thus  can 
rebuff  just  about  any  federal  and  state 
regulatory  entity. 

Given  the  current  backlash  against 
Sarbanes-Oxley,  the  financial  services 
industry  has  a  noticeable  lack  of  appetite 
to  undertake  any  new  regulatory  measures. 
So,  although  these  security  vulnerabilities 
exist  and  at  great  risk  to  the  financial  mar¬ 
kets,  the  industry  will  probably  muddle 
along  until  the  day  they  actually  cause 
the  damage  described  in  this  article.  Until 
then,  the  industry  will  continue  to  whistle 
past  the  graveyard,  a 

CSO  Undercover  is  written  anonymously  by  a  real  CSO. 
Send  feedback  to  csoundercovemcxo.com. 


May  2007  www.csoonline.com  37 


Sales  and  Services 

CSO  Sales  Offices 

President  and  CEO 

Michael  Friedenberg  •  508  935-4310 

Publisher 

Bob  Bragdon  •  508  935-4443 
Senior  Ad  Sales  Associate 
Christine  Hopkins  •  508  988-7836 
Eastern  Territory 
East  Coast  Regional  Manager 
Roz  Burke  •  508  935-4163 
Western  Territory 
Regional  Sales  Manager 
Drew  Seifried  •  206  245-3328 

Integrated  Media  and  Online  Sales 
Online  Regional  Sales  Managers 
Tina  Dudarevitch  •  718  279-2396 
Online  District  Sales  Manager 
Sara  Mascall  •  415  978-3385 
Manager,  Online  Account  Services 
Danielle  Tetreault  •  508  988-7969 
Online  Account  Services  Specialist 
Valerie  Sumner  •  508  988-7877 
Online  Ad  Sales  Associate 
Devon  Slattery  •  415  975-2687 
Online  Advertising  Specialist 
Irina  Gabechiia  •  508  935-4414 
Online  Account  Services  Coordinator 
Hayley  Nickerson  •  508  988-7819 

Custom  Solutions  Group 
Vice  President 
Matt  Avery  •  508  935-4796 
Executive  Editor  Tom  Field 
Managing  Editor 
Jim  Malone 
Associate  Editor 
Anne  Taylor 

Senior  Project  Manager 

Amy  Greenleaf 

Project  Managers 

Karen  Capland.  Amy  Freeman 

CSO  Executive  Council 

Managing  Director 

Bob  Hayes 

VP,  Research  and  Product  Development 

Kathleen  Kotwica 

Director,  IT  and  Product  Technology 
Greg  Kane 

Operations  and  Production  Specialist 
Jayne  Marcucella 
Member  Services  Manager 
Elizabeth  Lancaster 

Production 

VP/Manufacturing 
Chris  Cuoco 
Production  Manager 
Heidi  Broadley 

Associate  Production  Manager 
Lisa  M.  Stevenson 

Executive  Programs 
VP,  Executive  Programs 

Ellen  Daly 

Director,  Event  Marketing 
Mary  Conroy 

Director,  Event  Operations 
Deb  Begreen 
National  Sales  Manager 
Per  Melker 

Senior  Conference  Producer 
Judith  Kittredge 
Event  Planner 
Sarah  Reagan 
Event  Coordinator 
Bethany  Whiffin 


Registration  Specialist 
Cress  O'Brien 
Client  Services  Specialist 
Erica  Foster 
Sales  Associate 

Nicole  Blackburn  •  508  935-4154 

Marketing 

Sr.  Director,  Marketing  Communications 

Sue  Yanovitch 

Sr.  Marketing  Communications  Specialist 
Susan  Murray 

Marketing  Communications  Specialist 

Lynn  Holmlund 

Circulation 

Senior  VP/Circulation 

Carol  A.  Spach 

Subscription  Services  Supervisor 
Tina  Pescaro 
List  Services 

Contact  Paul  Capone  of  IDG  List  Services  at 
508  370-0865  or  pcapone@idglist.com. 

Reprint  Services 

For  article  reprints  (100  quantity  or  more), 
please  contact  Keith  Williams  at  PARS 
International  at  212  221-9595,  ext.  319, 
or  e-mail  keith.williams@parsintl.com. 

For  further  sales  information,  visit 
www.csoonline.com/reprints/index.html. 

CSO  Contact  Information 

Editorial/Advertising/Business  Offices 

492  Old  Connecticut  Path,  P.O.  Box  9208, 
Framingham,  MA  01701-9208 
Main  phone  number:  508  872-0080 

Postal  Information 

CSO  (ISSN  1540-904x)  is  published 
monthly  by  CXO  Media  Inc.,  492  Old  Con¬ 
necticut  Path.  P.O.  Box  9208,  Framingham, 
MA  01701-9208.  Periodicals  Postage  Rate 
at  Framingham,  MA  01701,  and  at  additional 
mailing  offices.  Canadian  Publications  Mail 
agreement  number  1902075.  CANADIAN 
POSTMASTER:  Please  return  undeliver¬ 
able  copy  to  P.O.  Box  1632,  Windsor,  ON 
N9A  7C9. 

Permissions 

Copyright  2007  by  CXO  Media  Inc.  All 
rights  reserved.  Reproduction  of  material 
appearing  in  CSO  is  forbidden  without 
written  permission.  Send  requests  to  Yadira 
Pizarro,  PARS  International,  212  221-9595, 
ext.  231,  or  e-mail  yadira@parsintl.com. 

Photocopy  Rights 

Permission  to  photocopy  for  internal  or  per¬ 
sonal  use  or  the  internal  or  personal  use  of 
specific  clients  is  granted  by  CSO  for  users 
through  the  Copyright  Clearance  Center, 
provided  that  a  fee  of  $3.50  per  copy  of  the 
article  is  paid  directly  to  Copyright  Clear¬ 
ance  Center,  222  Rosewood  Drive  Danvers, 
MA  01970.  www.copyright.com.  Please 
specify:  ISSN  1540-904x.  Permission  to 
photocopy  does  not  extend  to  contributed 
articles  followed  by  this  symbol: 

Subscriptions 

Address  inquiries  to  CSO,  P.O.  Box  3482, 
Northbrook,  IL  60065;  866  354-1125. 

CSO  is  free  to  qualified  information 
executives.  To  all  others  the  one-year 
basic  rate  is  $70  for  the  United  States  and 
Canada,  $95  to  foreign  countries  (payable 
in  U.S.  funds  only).  The  single  copy  price 
is  $9  to  the  U.S.  and  Canada  and  $15 
International.  Please  allow  four  to  six  weeks 
for  new  subscriptions  to  begin. 

Change  of  Address 

Go  to  www.omeda.com/custsrv/cso  and 
follow  the  online  instructions. 


Postmaster 

Send  change  of  address  to: 

CSO,  P.O.  Box  3482,  Northbrook,  IL  60065. 
Printed  in  the  USA. 


Index  of  Companies  and 
Advertisers 

Company  Index 

406  Ventures  . 30 

American  Express  Co . 16 

Atlas  Venture  . 30 

BBN  Technologies  . 30 

CheckFree  Corp . 16 

Chevron  Corp . 16 

Chief  Security  Officers . 16 

ChoicePoint . 16 

Commtouch  Software  Ltd . 7 

CompUSA  Management  Co . 30 

Counterpane  Internet  Security  Inc . 30 

Dow  Jones  &  Co.  Inc . 16 

DriveSavers  Data  Recovery  . 7 

DuPont . 7 

Federal  Trade  Commission . 7 

Friendly  Ice  Cream  Corp . 4,  26 

Gartner  Inc . 16, 30 

Grand  Idea  Studio  Inc . 30 

Harvard  University . 14 

Home  Depot  U.S.A.  Inc . 36 

Honeywell  International  Inc . 4 

JCB  International  Credit  Card  Co.  Ltd . 16 

Los  Angeles  County 

Economic  Development  Corp . 7 

Marriott  International  Inc . 16 

MasterCard  . 16 

Merchant  Risk  Council . 16 

Microsoft  Corp . 14,  30 

Morgan  Stanley  Co . 16 

New  York  Times  Co.,  The . 7 

One  Laptop  Per  Child . 14 

Pay  By  Touch . 16 

PayPal  . 16 

PCI  Security  Standards  Council  LLC  . 16 

Polaris  Venture  Partners  . 30 

Red  Hat  Inc . . 14 

Royal  Ahold  . 16 

Sony  Corp . 7 

Sophos  Pic . 7 

SRI  International  . 30 

Stop  &  Shop  Supermarket  Co . 16 

Symantec  Corp . 22,  30 

Tenable  Network  Security  Inc . 30 

TJX  Companies  Inc.,  The  . 7, 16 

Turner  Broadcasting  System  Inc . 7 

Veracode  Inc . 30 

Visa  International  Service  Association . 16 

Advertiser  Index 

BigFix,  Inc . 15 

CXO  Media  Inc . 13,29,35 

Entrust . C4 

Executive  Women’s  Forum . 38,  39 

Fortify  Software  Inc . 22,  23 

HID  Corp . 5 

ISACA . 6 

ISC2  . C2 

Juniper  Networks  Inc . 3 

LURHQ/SecureWorks . 17 

Oracle  Corp . 9 

Tumbleweed  Communications  Corp . C3 

Tyco  Fire  &  Security . 11 

Vericept  Corp . 12a 


38  www.csoonline.com  May  2007 


Women  of 

y- 

Influence 

Awards 


CALL  FOR 
NOMINATIONS 


Nominate  your  peers,  clients  and 
customers  for  the  Women  of 
Influence  Awards.  Co-presented 
by  Alta  Associates  and  CSO 
magazine,  the  awards  honor  four 
women  for  their  accomplish¬ 
ments  and  leadership  roles  in 
the  fields  of  information  security, 
risk  management  and  privacy. 
Winners  will  be  announced  at  an 
awards  ceremony  during  the 
Executive  Women's  Forum. 

Nomination  form  available  at: 
www.infosecuritywomen.com 


NOMINATIONS  MUST 
BE  SUBMITTED  BY 
AUGUST  1, 2007 


Media  sponsor  &  awards  co-presenter: 


r*  or\ 

■  ■  The  Resourc 

B  for  Security 
Executives 


Forum  host  &  awards  co-presenter: 


5th  Annual 

EXECUTIVE  WOMEN'S 

|HJ|  Information  Security,  Risk 
rUKUIVI  Management  &  Privacy 


September  19-21, 2007  |  Hyatt  Regency  Resort  &  Spa  |  Scottsdale,  AZ 


Managing  Risk  Through  Collaboration 

Hosted  by  Alta  Associates,  Inc.  the  5th  Annual  Executive 
Women’s  Forum  (EWF)  brings  together  more  than  200 
women  of  influence,  power  and  intelligence  to  explore  the 
impact  of  managing  risk  through  collaboration  in  today’s 
global  business  environment. 


The  EWF  provides  a  casual  venue  that  fosters  the  development 
of  creative  ideas,  innovative  solutions  and  deep  relationships. 
Join  your  peers  to  explore  how  we  are  connecting  the  dots. 


KEYNOTE  PANEL  TOPICS 

>  COMPLICATIONS  FROM 
INNOVATION 

>  PRIVACY— ARE  YOU  IN  JEOPARDY? 

>  DATA,  DATA,  WHO’S  GOT  MY  DATA? 

Diamond  Sponsors: 


>  ENTREPRENEURIAL  SPIRIT 

>  YEAR  IN  REVIEW— HEADLINES  & 
PREDICTIONS 


Information  Networking  Institute 


Carneg  ie  Mellon 

CyLabV^ 


Microsoft 


WSun 

microsystems 


^  Symantec,. 


WOMEN  OF  INFLUENCE 
AWARDS 

Nominate  your  peers,  clients  and 
customers  for  the  Women  of  Influence 
Awards.  Co-presented  by  CSO  magazine 
and  Alta  Associates,  the  awards  honor 
four  women  for  their  accomplishments 
and  leadership  roles  in  the  fields  of 
security,  risk  management  and  privacy. 
Winners  will  be  announced  at  an  awards 
ceremony  during  the  Executive  Women’s 
Forum. 

NOMINATION  FORM  AVAILABLE  AT: 

http://public.cxo.com/awards/ 

applicationWOI_2007.html 

Nominations  must  be  submitted  by 
August  1,  2007. 


Media  sponsor  &  awards  co-presenter: 


CSO 

The  Resource  for  Security  Executives 


Forum  host  &  awards  co-presenter: 


For  more  information  on  the  EWF  or  to  register,  please  visit:  www.infosecuritywomen.com 


They  Said  It 


Quotes  of  Note 


Heard  at  the  CSO  Perspectives 
Conference  in  Colorado 
Springs,  Colo. 


The  FBI  is  better  [than  local 
police]  at  keeping  their 
mouth  shut  to  the  press." 

-ATTENDEE  PLAYING  THE  VICTIM  OF  A  SERIOUS 
DATA  BREACH  IN  THE  CONFERENCE'S 
OPENING  TABLETOP  EXERCISE 

“All  we  kept  saving  is,  ‘We 
have  no  investigation 
open  at  this  time:  ” 

-ATTENDEE  PLAYING  THE  LOCAL  POLICE 
IN  THE  TABLETOP  EXERCISE 

“It’s  going  to  get  spun  [by 
the  media],  because  the 
truth  isn’t  interesting.” 

-ATTENDEE  PLAYING  THE  VICTIM 


“Facts  don’t  matter. 
Everything  we  saw  from  [the 
breached  company]  looked 
like  a  cover-up,  whether 
or  not  there  was  one.” 

-ATTENDEE  PLAYING  THE  PART  OF  THE  MEDIA 


“We  had  a  plan.  Back- 
to-back  hurricanes 
overwhelmed  the  plan.” 

-TARGET  VP  BRAD  BREKKE,  ON  DISASTER  RECOVERY  IN 
THE  FACE  OF  HURRICANES  KATRINA  AND  RITA  IN  2005 


“Diplomacy  is  the  art 
of  saying,  ‘Nice  doggie, 
nice  doggie,’  until  you 
can  find  a  rock.” 

-AMBASSADOR  L.  PAUL  BREMER  III,  WHO  LED  THE 
COALITION  PROVISIONAL  AUTHORITY  IN  IRAQ 
FROM  2003  TO  2004,  QUOTING  WILL  ROGERS 


“The  problem  [in  Iraq], 
of  course,  is  security. 
This  year  has  been 
disappointing.” 

-BREMER,  IN  HIS  KEYNOTE  ADDRESS 


‘Americans  must  be 
patient.  It  will  be  a  long 
war,  like  the  Cold  War. 

-BREMER 


“I  think  it’s  a  bunch  of 
crap.” 

-FORMER  CSO  GEORGE  CAMPBELL,  ON  THE 
CONCEPT  OF  SECURITY  CONVERGENCE 

“It  is  inevitable.” 

-FORMER  CSO  DAVID  BURRILL,  ON  THE  SAME 


“We  find  that...not  good.” 

-BRUCE  LARSON,  CSO  OF  AMERICAN  WATER, 
ADDRESSING  THE  IDEA  OF  SOMEONE  TAINTING 
THE  WATER  SUPPLY,  WITH  UNDERSTATEMENT 


v  s 


www.csoonline.com  May  2007  ,1. 

■  • 

ifjfT  ''  '  '  5!  :i  ft- „  T'/S#"  • ; 

wig.- lii  •:  '  Mi ’sj  ■  •  jiw  -  A.s 


There's  an  easier  way  to  safely  transfer  Todd's 
financial  data  over  FTP. 

(Without  wasting  manpower  on  costume  design.) 

There  isn't  much  IT  managers  won't  try  when  it  comes  to  securing  file  transfers.  But 
drastic  measures  (even  the  creative  ones)  run  the  risk  of  wasting  valuable  resources  and 
hindering  employee  productivity.  Tumbleweed  delivers  serious  protection,  simply.  With 
a  product  suite  that's  quick  to  deploy,  easy  to  manage  and  intuitive  to  use,  file  transfers 
are  a  snap — no  masterful  disguises  necessary. 


<^>  Tumbleweed 

www.tumbleweed.com/easierway  Messaging.  Secure  and  Simple. 


©  2007  Tumbleweed  Communications  Corp.  All  rights  reserved.  Tumbleweed  and  the  Arrows  logo  are  registered 
trademarks  of  Tumbleweed  Communications  Corp.  in  the  United  States  and/or  other  countries. 


But  you  can  operate  both  methods  from  a  single  platform 


You  might  not  want  to  use  the  same 
authentication  mechanism  for  Sally 
as  you  do  for  a  server... 


Flexible  and  efficient,  Entrust  IdentityGuard  serves  as  a  versatile  authentication  platform 
that  provides  a  range  of  choices  —  machine  authentication,  grid  cards,  questions  and 
answers,  digital  certificates,  out-of-band  and  the  industry-first  $5  OTP  token.  Whether 
it's  versatile  authentication,  disk  encryption,  fraud  detection,  secure  messaging  or 
anything  in  between,  organizations  need  a  layered  security  expert  that  has  security  in 
its  DNA.  Visit  www.entrust.com  to  find  out  more. 


Entrust  is  a  registered  trademark  of  Entrust,  Inc.  in  the  United  States  and  certain  other  countries.  In  Canada,  Entrust  is  a  registered  trademark  of  Entrust  Limited.  All  other  Entrust  prod¬ 
uct  names  and  service  names  are  trademarks  or  registered  trademarks  of  Entrust,  Inc.  or  Entrust  Limited  in  certain  countries.  All  other  company  names,  product  names  and  logos  are  trade¬ 
marks  or  registered  trademarks  of  their  respective  owners.  ©Copyright  2007  Entrust.  All  rights  reserved. 


